Bulletproof TLS Newsletter #73
Google Chrome distrusts Camerfirma
28 Jan 2021
Author: Hanno Böck

This issue was distributed to 56,383 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Google Chrome distrusts Camerfirma
  2. Short news

Google Chrome distrusts Camerfirma

A large number of recent incidents tied to the Camerfirma certificate authority led to a lengthy discussion on Mozilla’s security policy mailing list. Camerfirma is a certificate authority from Spain. The mailing list discussion was initiated by Mozilla’s Ben Wilson, who started collecting information about rule violations and incidents by Camerfirma on a wiki page.

Examples include issuing certificates for invalid domains, missing audits, and undisclosed sub-CAs. Several of the incidents involved various sub-CAs that use intermediates signed by Camerfirma’s root certificates. What particularly worried many in the community was that Camerfirma repeated mistakes in several cases that should have been prevented after previous similar incidents. Particularly noteworthy issues include issuing a certificate for a subdomain of com.com without validating that domain in 2020, and a mistakenly revoked and subsequently unrevoked intermediate certificate.

In reply to the incident collection, Google’s Ryan Sleevi wrote: “This is clearly a portrait of a CA that, like those that came before, paint a pattern of a CA that consistently and regularly fails to meet program requirements, in a way that clearly demonstrates these are systemic and architectural issues.”

Camerfirma has responded to these issues with a remediation plan, but in the discussion it became clear that many community members thought the plan was not sufficient to remedy the situation.

Mozilla has not yet decided whether these incidents will lead to a distrust of Camerfirma. However, it seems Google has. In a later message in the thread, Ryan Sleevi announced that starting with version 90, the Google Chrome browser will no longer trust certificates issued by Camerfirma.

Short news