28 Jan 2021
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
A large number of recent incidents tied to the Camerfirma certificate authority led to a lengthy discussion on Mozilla’s security policy mailing list. Camerfirma is a certificate authority from Spain. The mailing list discussion was initiated by Mozilla’s Ben Wilson, who started collecting information about rule violations and incidents by Camerfirma on a wiki page.
Examples include issuing certificates for invalid domains, missing audits, and undisclosed sub-CAs. Several of the incidents involved various sub-CAs that use intermediates signed by Camerfirma’s root certificates. What particularly worried many in the community was that Camerfirma repeated mistakes in several cases that should have been prevented after previous similar incidents. Particularly noteworthy issues include issuing a certificate for a subdomain of com.com without validating that domain in 2020, and a mistakenly revoked and subsequently unrevoked intermediate certificate.
In reply to the incident collection, Google’s Ryan Sleevi wrote: “This is clearly a portrait of a CA that, like those that came before, paint a pattern of a CA that consistently and regularly fails to meet program requirements, in a way that clearly demonstrates these are systemic and architectural issues.”
Camerfirma has responded to these issues with a remediation plan, but in the discussion it became clear that many community members thought the plan was not sufficient to remedy the situation.
Mozilla has not yet decided whether these incidents will lead to a distrust of Camerfirma. However, it seems Google has. In a later message in the thread, Ryan Sleevi announced that starting with version 90, the Google Chrome browser will no longer trust certificates issued by Camerfirma.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.