| OLD | NEW |
|---|
| 1 # Certificate Blacklist | 1 # Certificate Blacklist |
| 2 | 2 |
| 3 This directory contains a number of certificates and public keys which are | 3 This directory contains a number of certificates and public keys which are |
| 4 considered blacklisted within Chromium-based products. | 4 considered blacklisted within Chromium-based products. |
| 5 | 5 |
| 6 When applicable, additional information and the full certificate or key | 6 When applicable, additional information and the full certificate or key |
| 7 are included. | 7 are included. |
| 8 | 8 |
| 9 ## Compromises & Misissuances | 9 ## Compromises & Misissuances |
| 10 | 10 |
| 11 ### Comodo | 11 ### Comodo |
| 12 | 12 |
| 13 For details, see [https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html], | 13 For details, see <https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html>, |
| 14 [https://blog.mozilla.org/security/2011/03/25/comodo-certificate-issue-follow-up
/], | 14 <https://blog.mozilla.org/security/2011/03/25/comodo-certificate-issue-follow-up
/>, |
| 15 and [https://technet.microsoft.com/en-us/library/security/2524375.aspx]. | 15 and <https://technet.microsoft.com/en-us/library/security/2524375.aspx>. |
| 16 | 16 |
| 17 As the result of a compromise of a partner RA of Comodo, nine certificates were | 17 As the result of a compromise of a partner RA of Comodo, nine certificates were |
| 18 misissued, for a variety of online services. | 18 misissued, for a variety of online services. |
| 19 | 19 |
| 20 * [2a3699deca1e9fd099ba45de8489e205977c9f2a5e29d5dd747381eec0744d71.pem] | 20 * <2a3699deca1e9fd099ba45de8489e205977c9f2a5e29d5dd747381eec0744d71.pem> |
| 21 * [4bf6bb839b03b72839329b4ea70bb1b2f0d07e014d9d24aa9cc596114702bee3.pem] | 21 * <4bf6bb839b03b72839329b4ea70bb1b2f0d07e014d9d24aa9cc596114702bee3.pem> |
| 22 * [79f69a47cfd6c4b4ceae8030d04b49f6171d3b5d6c812f58d040e586f1cb3f14.pem] | 22 * <79f69a47cfd6c4b4ceae8030d04b49f6171d3b5d6c812f58d040e586f1cb3f14.pem> |
| 23 * [8290cc3fc1c3aac3239782c141ace8f88aeef4e9576a43d01867cf19d025be66.pem] | 23 * <8290cc3fc1c3aac3239782c141ace8f88aeef4e9576a43d01867cf19d025be66.pem> |
| 24 * [933f7d8cda9f0d7c8bfd3c22bf4653f4161fd38ccdcf66b22e95a2f49c2650f8.pem] | 24 * <933f7d8cda9f0d7c8bfd3c22bf4653f4161fd38ccdcf66b22e95a2f49c2650f8.pem> |
| 25 * [9532e8b504964331c271f3f5f10070131a08bf8ba438978ce394c34feeae246f.pem] | 25 * <9532e8b504964331c271f3f5f10070131a08bf8ba438978ce394c34feeae246f.pem> |
| 26 * [be144b56fb1163c49c9a0e6b5a458df6b29f7e6449985960c178a4744624b7bc.pem] | 26 * <be144b56fb1163c49c9a0e6b5a458df6b29f7e6449985960c178a4744624b7bc.pem> |
| 27 * [ead610e6e90b439f2ecb51628b0932620f6ef340bd843fca38d3181b8f4ba197.pem] | 27 * <ead610e6e90b439f2ecb51628b0932620f6ef340bd843fca38d3181b8f4ba197.pem> |
| 28 * [f8a5ff189fedbfe34e21103389a68340174439ad12974a4e8d4d784d1f3a0faa.pem] | 28 * <f8a5ff189fedbfe34e21103389a68340174439ad12974a4e8d4d784d1f3a0faa.pem> |
| 29 | 29 |
| 30 ### DigiNotar | 30 ### DigiNotar |
| 31 | 31 |
| 32 For details, see [https://googleonlinesecurity.blogspot.com/2011/08/update-on-at
tempted-man-in-middle.html] | 32 For details, see <https://googleonlinesecurity.blogspot.com/2011/08/update-on-at
tempted-man-in-middle.html> |
| 33 and [https://en.wikipedia.org/wiki/DigiNotar]. | 33 and <https://en.wikipedia.org/wiki/DigiNotar>. |
| 34 | 34 |
| 35 As a result of a complete CA compromise, the following certificates (and | 35 As a result of a complete CA compromise, the following certificates (and |
| 36 their associated public keypairs) are revoked. | 36 their associated public keypairs) are revoked. |
| 37 | 37 |
| 38 * [0d136e439f0ab6e97f3a02a540da9f0641aa554e1d66ea51ae2920d51b2f7217.pem] | 38 * <0d136e439f0ab6e97f3a02a540da9f0641aa554e1d66ea51ae2920d51b2f7217.pem> |
| 39 * [294f55ef3bd7244c6ff8a68ab797e9186ec27582751a791515e3292e48372d61.pem] | 39 * <294f55ef3bd7244c6ff8a68ab797e9186ec27582751a791515e3292e48372d61.pem> |
| 40 * [31c8fd37db9b56e708b03d1f01848b068c6da66f36fb5d82c008c6040fa3e133.pem] | 40 * <31c8fd37db9b56e708b03d1f01848b068c6da66f36fb5d82c008c6040fa3e133.pem> |
| 41 * [3946901f46b0071e90d78279e82fababca177231a704be72c5b0e8918566ea66.pem] | 41 * <3946901f46b0071e90d78279e82fababca177231a704be72c5b0e8918566ea66.pem> |
| 42 * [450f1b421bb05c8609854884559c323319619e8b06b001ea2dcbb74a23aa3be2.pem] | 42 * <450f1b421bb05c8609854884559c323319619e8b06b001ea2dcbb74a23aa3be2.pem> |
| 43 * [4fee0163686ecbd65db968e7494f55d84b25486d438e9de558d629d28cd4d176.pem] | 43 * <4fee0163686ecbd65db968e7494f55d84b25486d438e9de558d629d28cd4d176.pem> |
| 44 * [8a1bd21661c60015065212cc98b1abb50dfd14c872a208e66bae890f25c448af.pem] | 44 * <8a1bd21661c60015065212cc98b1abb50dfd14c872a208e66bae890f25c448af.pem> |
| 45 * [9ed8f9b0e8e42a1656b8e1dd18f42ba42dc06fe52686173ba2fc70e756f207dc.pem] | 45 * <9ed8f9b0e8e42a1656b8e1dd18f42ba42dc06fe52686173ba2fc70e756f207dc.pem> |
| 46 * [a686fee577c88ab664d0787ecdfff035f4806f3de418dc9e4d516324fff02083.pem] | 46 * <a686fee577c88ab664d0787ecdfff035f4806f3de418dc9e4d516324fff02083.pem> |
| 47 * [b8686723e415534bc0dbd16326f9486f85b0b0799bf6639334e61daae67f36cd.pem] | 47 * <b8686723e415534bc0dbd16326f9486f85b0b0799bf6639334e61daae67f36cd.pem> |
| 48 * [fdedb5bdfcb67411513a61aee5cb5b5d7c52af06028efc996cc1b05b1d6cea2b.pem] | 48 * <fdedb5bdfcb67411513a61aee5cb5b5d7c52af06028efc996cc1b05b1d6cea2b.pem> |
| 49 | 49 |
| 50 ### India CCA | 50 ### India CCA |
| 51 | 51 |
| 52 For details, see [https://googleonlinesecurity.blogspot.com/2014/07/maintaining-
digital-certificate-security.html] | 52 For details, see <https://googleonlinesecurity.blogspot.com/2014/07/maintaining-
digital-certificate-security.html> |
| 53 and [https://technet.microsoft.com/en-us/library/security/2982792.aspx] | 53 and <https://technet.microsoft.com/en-us/library/security/2982792.aspx> |
| 54 | 54 |
| 55 An unknown number of misissued certificates were issued by a sub-CA of | 55 An unknown number of misissued certificates were issued by a sub-CA of |
| 56 India CCA, the India NIC. Due to the scope of the misissuance, the sub-CA | 56 India CCA, the India NIC. Due to the scope of the misissuance, the sub-CA |
| 57 was wholly revoked, and India CCA was constrained to a subset of India's | 57 was wholly revoked, and India CCA was constrained to a subset of India's |
| 58 ccTLD namespace. | 58 ccTLD namespace. |
| 59 | 59 |
| 60 * [67ed4b703d15dc555f8c444b3a05a32579cb7599bd19c9babe10c584ea327ae0.pem] | 60 * <67ed4b703d15dc555f8c444b3a05a32579cb7599bd19c9babe10c584ea327ae0.pem> |
| 61 * [a8e1dfd9cd8e470aa2f443914f931cfd61c323e94d75827affee985241c35ce5.pem] | 61 * <a8e1dfd9cd8e470aa2f443914f931cfd61c323e94d75827affee985241c35ce5.pem> |
| 62 * [e4f9a3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem] | 62 * <e4f9a3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem> |
| 63 | 63 |
| 64 ### Trustwave | 64 ### Trustwave |
| 65 | 65 |
| 66 For details, see [https://www.trustwave.com/Resources/SpiderLabs-Blog/Clarifying
-The-Trustwave-CA-Policy-Update/] | 66 For details, see <https://www.trustwave.com/Resources/SpiderLabs-Blog/Clarifying
-The-Trustwave-CA-Policy-Update/> |
| 67 and [https://bugzilla.mozilla.org/show_bug.cgi?id=724929] | 67 and <https://bugzilla.mozilla.org/show_bug.cgi?id=724929> |
| 68 | 68 |
| 69 Two certificates were issued by Trustwave for use in enterprise | 69 Two certificates were issued by Trustwave for use in enterprise |
| 70 Man-in-the-Middle. The following public key was used for both certificates, | 70 Man-in-the-Middle. The following public key was used for both certificates, |
| 71 and is revoked. | 71 and is revoked. |
| 72 | 72 |
| 73 * [32ecc96f912f96d889e73088cd031c7ded2c651c805016157a23b6f32f798a3b.key] | 73 * <32ecc96f912f96d889e73088cd031c7ded2c651c805016157a23b6f32f798a3b.key> |
| 74 | 74 |
| 75 ### TurkTrust | 75 ### TurkTrust |
| 76 | 76 |
| 77 For details, see [https://googleonlinesecurity.blogspot.com/2013/01/enhancing-di
gital-certificate-security.html] | 77 For details, see <https://googleonlinesecurity.blogspot.com/2013/01/enhancing-di
gital-certificate-security.html> |
| 78 and [https://web.archive.org/web/20130326152502/http://turktrust.com.tr/kamuoyu-
aciklamasi.2.html] | 78 and <https://web.archive.org/web/20130326152502/http://turktrust.com.tr/kamuoyu-
aciklamasi.2.html> |
| 79 | 79 |
| 80 As a result of a software configuration issue, two certificates were misissued | 80 As a result of a software configuration issue, two certificates were misissued |
| 81 by Turktrust that failed to properly set the basicConstraints extension. | 81 by Turktrust that failed to properly set the basicConstraints extension. |
| 82 Because these certificates can be used to issue additional certificates, they | 82 Because these certificates can be used to issue additional certificates, they |
| 83 have been revoked. | 83 have been revoked. |
| 84 | 84 |
| 85 * [372447c43185c38edd2ce0e9c853f9ac1576ddd1704c2f54d96076c089cb4227.pem] | 85 * <372447c43185c38edd2ce0e9c853f9ac1576ddd1704c2f54d96076c089cb4227.pem> |
| 86 * [42187727be39faf667aeb92bf0cc4e268f6e2ead2cefbec575bdc90430024f69.pem] | 86 * <42187727be39faf667aeb92bf0cc4e268f6e2ead2cefbec575bdc90430024f69.pem> |
| 87 | 87 |
| 88 ## Private Key Leakages | 88 ## Private Key Leakages |
| 89 | 89 |
| 90 ### Cyberoam | 90 ### Cyberoam |
| 91 | 91 |
| 92 For details, see [https://blog.torproject.org/blog/security-vulnerability-found-
cyberoam-dpi-devices-cve-2012-3372] | 92 For details, see <https://blog.torproject.org/blog/security-vulnerability-found-
cyberoam-dpi-devices-cve-2012-3372> |
| 93 | 93 |
| 94 Device manufacturer Cyberoam used the same private key for all devices by | 94 Device manufacturer Cyberoam used the same private key for all devices by |
| 95 default, which subsequently leaked and is included below. The associated | 95 default, which subsequently leaked and is included below. The associated |
| 96 public key is blacklisted. | 96 public key is blacklisted. |
| 97 | 97 |
| 98 * [1af56c98ff043ef92bebff54cebb4dd67a25ba956c817f3e6dd3c1e52eb584c1.key] | 98 * <1af56c98ff043ef92bebff54cebb4dd67a25ba956c817f3e6dd3c1e52eb584c1.key> |
| 99 | 99 |
| 100 ### Dell | 100 ### Dell |
| 101 | 101 |
| 102 For details, see [http://www.dell.com/support/article/us/en/19/SLN300321] | 102 For details, see <http://www.dell.com/support/article/us/en/19/SLN300321> |
| 103 and [http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2
015/11/23/response-to-concerns-regarding-edellroot-certificate] | 103 and <http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2
015/11/23/response-to-concerns-regarding-edellroot-certificate> |
| 104 | 104 |
| 105 The private keys for both the eDellRoot and DSDTestProvider certificates were | 105 The private keys for both the eDellRoot and DSDTestProvider certificates were |
| 106 trivially extracted, and thus their associated public keys are | 106 trivially extracted, and thus their associated public keys are |
| 107 blacklisted. | 107 blacklisted. |
| 108 | 108 |
| 109 * [0f912fd7be760be25afbc56bdc09cd9e5dcc9c6f6a55a778aefcb6aa30e31554.pem] | 109 * <0f912fd7be760be25afbc56bdc09cd9e5dcc9c6f6a55a778aefcb6aa30e31554.pem> |
| 110 * [ec30c9c3065a06bb07dc5b1c6b497f370c1ca65c0f30c08e042ba6bcecc78f2c.pem] | 110 * <ec30c9c3065a06bb07dc5b1c6b497f370c1ca65c0f30c08e042ba6bcecc78f2c.pem> |
| 111 | 111 |
| 112 ### sslip.io | 112 ### sslip.io |
| 113 | 113 |
| 114 For details, see [https://blog.pivotal.io/labs/labs/sslip-io-a-valid-ssl-certifi
cate-for-every-ip-address] | 114 For details, see <https://blog.pivotal.io/labs/labs/sslip-io-a-valid-ssl-certifi
cate-for-every-ip-address> |
| 115 | 115 |
| 116 A subscriber of Comodo's acquired a wildcard certificate for sslip.io, and | 116 A subscriber of Comodo's acquired a wildcard certificate for sslip.io, and |
| 117 then subsequently published the private key, as a means for developers | 117 then subsequently published the private key, as a means for developers |
| 118 to avoid having to acquire certificates. | 118 to avoid having to acquire certificates. |
| 119 | 119 |
| 120 As the private key could be used to intercept all communications to this | 120 As the private key could be used to intercept all communications to this |
| 121 domain, the associated public key was blacklisted. | 121 domain, the associated public key was blacklisted. |
| 122 | 122 |
| 123 * [f3bae5e9c0adbfbfb6dbf7e04e74be6ead3ca98a5604ffe591cea86c241848ec.pem] | 123 * <f3bae5e9c0adbfbfb6dbf7e04e74be6ead3ca98a5604ffe591cea86c241848ec.pem> |
| 124 | 124 |
| 125 ### xs4all.nl | 125 ### xs4all.nl |
| 126 | 126 |
| 127 For details, see [https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_fo
r_my_ISPs_main_website.html] | 127 For details, see <https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_fo
r_my_ISPs_main_website.html> |
| 128 | 128 |
| 129 A user of xs4all was able to register a reserved email address that can be | 129 A user of xs4all was able to register a reserved email address that can be |
| 130 used to cause certificate issuance, as described in the CA/Browser Forum's | 130 used to cause certificate issuance, as described in the CA/Browser Forum's |
| 131 Baseline Requirements, and then subsequently published the private key. | 131 Baseline Requirements, and then subsequently published the private key. |
| 132 | 132 |
| 133 * [83618f932d6947744d5ecca299d4b2820c01483947bd16be814e683f7436be24.pem] | 133 * <83618f932d6947744d5ecca299d4b2820c01483947bd16be814e683f7436be24.pem> |
| 134 | 134 |
| 135 ## Miscellaneous | 135 ## Miscellaneous |
| 136 | 136 |
| 137 ### DigiCert |
| 138 |
| 139 For details, see <https://bugzilla.mozilla.org/show_bug.cgi?id=1242758> and |
| 140 <https://bugzilla.mozilla.org/show_bug.cgi?id=1224104> |
| 141 |
| 142 These two intermediates were retired by DigiCert, and blacklisted for |
| 143 robustness at their request. |
| 144 |
| 145 * <159ca03a88897c8f13817a212629df84ce824709492b8c9adb8e5437d2fc72be.pem> |
| 146 * <b8c1b957c077ea76e00b0f45bff5ae3acb696f221d2e062164fe37125e5a8d25.pem> |
| 147 |
| 137 ### Hacking Team | 148 ### Hacking Team |
| 138 | 149 |
| 139 The following keys were reported as used by Hacking Team to compromise users, | 150 The following keys were reported as used by Hacking Team to compromise users, |
| 140 and are blacklisted for robustness. | 151 and are blacklisted for robustness. |
| 141 | 152 |
| 142 * [c4387d45364a313fbfe79812b35b815d42852ab03b06f11589638021c8f2cb44.key] | 153 * <c4387d45364a313fbfe79812b35b815d42852ab03b06f11589638021c8f2cb44.key> |
| 143 * [ea08c8d45d52ca593de524f0513ca6418da9859f7b08ef13ff9dd7bf612d6a37.key] | 154 * <ea08c8d45d52ca593de524f0513ca6418da9859f7b08ef13ff9dd7bf612d6a37.key> |
| 144 | 155 |
| 145 ### live.fi | 156 ### live.fi |
| 146 | 157 |
| 147 For details, see [https://technet.microsoft.com/en-us/library/security/3046310.a
spx] | 158 For details, see <https://technet.microsoft.com/en-us/library/security/3046310.a
spx> |
| 148 | 159 |
| 149 A user of live.fi was able to register a reserved email address that can be | 160 A user of live.fi was able to register a reserved email address that can be |
| 150 used to cause certificate issuance, as described in the CA/Browser Forum's | 161 used to cause certificate issuance, as described in the CA/Browser Forum's |
| 151 Baseline Requirements. This was not intended by Microsoft, the operators of | 162 Baseline Requirements. This was not intended by Microsoft, the operators of |
| 152 live.fi, but conformed to the Baseline Requirements. It was blacklisted for | 163 live.fi, but conformed to the Baseline Requirements. It was blacklisted for |
| 153 robustness. | 164 robustness. |
| 154 | 165 |
| 155 * [c67d722c1495be02cbf9ef1159f5ca4aa782dc832dc6aa60c9aa076a0ad1e69d.pem] | 166 * <c67d722c1495be02cbf9ef1159f5ca4aa782dc832dc6aa60c9aa076a0ad1e69d.pem> |
| 156 | 167 |
| 157 ### SECOM | 168 ### SECOM |
| 158 | 169 |
| 159 For details, see [https://bugzilla.mozilla.org/show_bug.cgi?id=1188582] | 170 For details, see <https://bugzilla.mozilla.org/show_bug.cgi?id=1188582> |
| 160 | 171 |
| 161 This intermediate certificate was retired by SECOM, and blacklisted for | 172 This intermediate certificate was retired by SECOM, and blacklisted for |
| 162 robustness at their request. | 173 robustness at their request. |
| 163 | 174 |
| 164 * [817d4e05063d5942869c47d8504dc56a5208f7569c3d6d67f3457cfe921b3e29.pem] | 175 * <817d4e05063d5942869c47d8504dc56a5208f7569c3d6d67f3457cfe921b3e29.pem> |
| 165 | 176 |
| 166 ### Symantec | 177 ### Symantec |
| 167 | 178 |
| 168 For details, see [https://bugzilla.mozilla.org/show_bug.cgi?id=966060] | 179 For details, see <https://bugzilla.mozilla.org/show_bug.cgi?id=966060> |
| 169 | 180 |
| 170 These three intermediate certificates were retired by Symantec, and | 181 These three intermediate certificates were retired by Symantec, and |
| 171 blacklisted for robustness at their request. | 182 blacklisted for robustness at their request. |
| 172 | 183 |
| 173 * [1f17f2cbb109f01c885c94d9e74a48625ae9659665d6d7e7bc5a10332976370f.pem] | 184 * <1f17f2cbb109f01c885c94d9e74a48625ae9659665d6d7e7bc5a10332976370f.pem> |
| 174 * [3e26492e20b52de79e15766e6cb4251a1d566b0dbfb225aa7d08dda1dcebbf0a.pem] | 185 * <3e26492e20b52de79e15766e6cb4251a1d566b0dbfb225aa7d08dda1dcebbf0a.pem> |
| 175 * [7abd72a323c9d179c722564f4e27a51dd4afd24006b38a40ce918b94960bcf18.pem] | 186 * <7abd72a323c9d179c722564f4e27a51dd4afd24006b38a40ce918b94960bcf18.pem> |
| 176 | 187 |
| 177 ### T-Systems | 188 ### T-Systems |
| 178 | 189 |
| 179 For details, see [https://bugzilla.mozilla.org/show_bug.cgi?id=1076940] | 190 For details, see <https://bugzilla.mozilla.org/show_bug.cgi?id=1076940> |
| 180 | 191 |
| 181 This intermediate certificate was retired by T-Systems, and blacklisted | 192 This intermediate certificate was retired by T-Systems, and blacklisted |
| 182 for robustness at their request. | 193 for robustness at their request. |
| 183 | 194 |
| 184 * [f4a5984324de98bd979ef181a100cf940f2166173319a86a0d9d7c8fac3b0a8f.pem] | 195 * <f4a5984324de98bd979ef181a100cf940f2166173319a86a0d9d7c8fac3b0a8f.pem> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1639613002:
Block two retired DigiCert intermediates (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master