141

I stumbled across a huge security vulnerability in a Certificate Authority that is trusted by all modern browsers and computers.

Specifically, I am able to get a valid signed certificate for a domain I don't own. If I had the means to become a Man In The Middle, I would be able to present a perfectly valid ssl certificate.

This vulnerability required no SQL injections or coding on my part. I quite figuratively stumbled across it.

What is the proper way to report this? I want to be ethical and report it to the offending CA, but I also don't want them to simply fix the vulnerability and then sweep everything under the rug. This problem seems to have been there a while, and I'm simply not smart enough to be the only one capable of finding it.

I'm concerned that solely contacting the CA will result in a panic on their part, and they, fearing a DigiNotar-like incident, will do anything to keep the public from finding out.

Am I allowed to also contact some major players, such as other certificate authorities or other sites such as CloudFlare or Google? (I know CloudFlare was given a heads-up about HeartBleed before the public announcement went out.)

Note: I'm posting under a psuedonym account to (try to) remain anonymous for now.

Edit: This question is related to another question, but I feel this vulnerability falls outside the scope of that question. This could affect essentially the entire internet (ie everyone online is a customer), and my question explicitly states that simply contacting the 'developer' (the accepted answer for the linked question) doesn't seem like the best first step to me.

Edit 2: I've gotten in contact with some people, and they've advised me to avoid talking further on this forum (sorry guys!). I'll update this question later, after the vulnerability has been fully fixed and any incorrect certificates revoked.

Edit 3: The details are out. I've posted more information on my personal site about the specifics of the vulnerability. The story is still ongoing, and you can read the discussion between Mozilla, Google, and the CA WoSign.

Edit 4: As promised, I'm updating with a link to an article written by Ars Technica regarding this and other incidents involving WoSign. Looks like WoSign and StartCom (now owned by the same company) may be in serious danger of root revocation.

MotorStoicLathe
  • 1,031
  • 2
  • 8
  • 8
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/24859/discussion-on-question-by-motorstoiclathe-how-do-i-report-a-security-vulnerabili). – Rory Alsop Jun 16 '15 at 06:42
  • 4
    Hi, did anything ever come of this? If there's a URL of an advisory or something, that would be interesting! – paj28 Jan 11 '16 at 12:09
  • 1
    Was this you? http://oalmanna.blogspot.co.uk/2016/03/startssl-domain-validation.html – paj28 Mar 23 '16 at 14:23
  • 5
    @paj28 No, that wasn't me. But I finally got around to contacting Ars Technica to see if they want to do anything with my info. I'll update this question with more details later with more details. Either with a link to the story, or (if no one cares to write a story (>1 year old news now)) with specifics about the now-fixed vulnerability. – MotorStoicLathe Aug 02 '16 at 20:34
  • 13
    To anyone wondering what happened: https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com – Jon Aug 31 '16 at 23:13
  • 10
    Woah. Looks like _two_ CAs are now going to be distrusted by Firefox, partly as a result of this. https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview – Ajedi32 Sep 27 '16 at 14:25

8 Answers8

69

It sounds like your issue is that this vulnerability is bigger than you know what to do with.

The rules of responsible disclosure, as decribed here, say that you should contact the vendor and negotiate a period of time - between 1 week and 6 months, depending on the depth of the changes required - in which they can implement a patch, revoke and re-issue certificates, publish security bulletins, etc, before you go public with your findings. The intention is that at the end of the negotiated period you get your public recognition, but your going public can't do any more harm - if the vendor has done their job properly.

If figuring out how to contact them / negotiate a Responsible Disclosure period, go public with your results at the end, etc, is too big for you, or you don't know how to get started, then I suggest contacting and partnering with a well-known security researcher who already has established publication channels. Find a big name who has already published similar vulnerabilities and call them up! It sounds like you won't have any problem getting their attention.

Also congratulations! I look forward to seeing your name on a paper in 6 months!

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • at @paj28's suggestion, I generalized to researchers beyond universities – Mike Ounsworth Jun 10 '15 at 15:12
  • 13
    If you need help working out a disclosure agreement, or just the logistics of contacting the vendor, then I suggest working with a responsible third party like the Electronic Frontier Foundation or SANS Institute. – Rache Jun 10 '15 at 18:16
  • 2
    There is another school of disclosure: Full disclosure. I don't necessarely agree with them but it's good to know people don't all agree responsible disclosure is responsible. – David 天宇 Wong Jun 12 '15 at 19:17
45

Such a claim is generally quite serious.

While reaching out to the vendor in question is a responsible matter, you should certainly consider notifying the relevant root store security teams, since they are responsible for designing, evaluating, and applying the security controls to prevent this, and will likely need to directly work with the CA to ascertain the issues.

In terms of responsible disclosure you should also immediately report this to each of the major root store operators: Google, Microsoft, Apple, Mozilla. Just search for "<vendor> report security bug", and the first result will tell you. These are just some of the vendors affected - e.g. not just the CA.

If you are unsure about how to do this, wish to remain anonymous, or need assistance coordinating, the Chromium security team is happy to investigate, contact the appropriate CA, and coordinate with the broader industry. See https://www.chromium.org/Home/chromium-security/reporting-security-bugs for details.

PeeHaa
  • 599
  • 1
  • 4
  • 15
Ryan Sleevi
  • 466
  • 4
  • 2
  • 5
    I changed my accepted answer to this one. After everything that's happened, this is the advice I should have originally gone with. If it involves Certificate Authorities, the root store operators should be contacted along with the CA in question. – MotorStoicLathe Sep 27 '16 at 19:21
25

Congratulations! Sounds like a major find.

First, generate some proof. The github.com SSL certificate sounds like a great start. Make sure you keep all the network traces you need to show exactly what happened.

You need to determine if you broke any laws or T&Cs while doing this. If the CA does not have a bug bounty, you almost certainly did. In that case, it is important for you to stay anonymous. One concern here is that you may have already revealed your identity during the testing. For example, you probably had to pay for that certificate; how did you make the payment? If you've already broken the law in a non-anonymous way, this pretty much rules out any strong arm tactics against the CA.

While it's commendable that you want to reach out to the CA, bear in mind that you do have a possibility of selling this vulnerability. This would potentially be worth $100,000 from an organisation like vupen. Up to you how you feel about that.

If you do want to disclose, you could do it yourself, but I agree with Mike's recommendation to reach out to an established researcher. I think you could aim a little higher than a university researcher. A celebrity like Bruce Schnier or Dan Kaminsky would be interested in this. You would have to trust them with the details, and use their weight to have the issue taken seriously.

Regarding CloudFlare getting an early view of HeartBleed, this is standard practice for major vulnerabilities - that key providers get an early warning. But that comes much later in the process. In the case of HeartBleed, after patches had been developed (but not publicly released). I'm not sure how that would apply to this vulnerability. It seems that every certificate issued by the CA is now suspect.

Whatever you choose to do, good luck!

paj28
  • 32,906
  • 8
  • 93
  • 130
  • 14
    lol - "it's thought that many of the purchasers are law enforcement and "friendly" intelligence, which most people find a little more palatable" -- not to people who live in the other 195 countries! – Mike Ounsworth Jun 10 '15 at 15:04
  • @MikeOunsworth - I'd tried to put enough caveats in that sentence, but clearly not. Edited to remove. Although I have a feeling the people who upvoted your comment would forget their principles if they actually had a good enough exploit to sell. – paj28 Jun 10 '15 at 15:54
  • 1
    @paj28 If they value privacy and freedom like i do, i would never sell any exploit to any law enforcement or intelligence agencies, no money can buy freedom :) – Freedo Jun 10 '15 at 18:23
  • @Freedom - good on you. The trouble is of course is that you being principled doesn't stop them buying exploits elsewhere, or doing their own research. – paj28 Jun 10 '15 at 19:54
  • 2
    ". I'm not sure how that would apply to this vulnerability. " - probably the equivalent would be to release it to browser vendors, OS vendors, etc, so that they can issue a routine update quietly removing the offending root certificate (after customer certificates have been updated to a new one that is not compromised) May not be necessary if a CA has a paper trail that can find if any certificates (other than OPs) were in fact fraudulently issued. – Random832 Jun 10 '15 at 20:08
  • 2
    @paj28 this is why the citizens that should stand for to make this market illegal, why should be legal to sell exploits to the government and if you sell to criminals you are a criminal ? I don't see the difference and this problem will be very hard to solve using technology only – Freedo Jun 10 '15 at 20:25
  • @Freedom - This sounds like it would deserve a question in its own right. As I understand it, in most countries it is generally legal to sell exploits to criminals, and law enforcement use of exploits is generally illegal. Maybe this should be changed, but there would be all sorts of repercussions, e.g. would metasploit now be illegal? To be honest, I don't care, the obvious solution is to exercise good opsec and push for software to be more secure. – paj28 Jun 11 '15 at 07:37
  • Your link is not working for me. – kasperd Jun 11 '15 at 20:26
  • 2
    1. Please don't sell this vulnerability. 2. If you do need to issue a cert as a proof of concept, do it securely, as described here: https://www.agwa.name/blog/post/how_to_responsibly_misissue_a_cert – AGWA Jun 12 '15 at 21:08
  • @AGWA - Your blog post looks good; I'd add that you should generate the private key on a clean machine just in case of malware. Regarding selling the vulnerability, you've only included a request. People are more likely to respond to a reasoned argument. – paj28 Jun 14 '15 at 19:32
  • @paj28 : An alternative is too prove it was sold while keeping both parties of the transaction unknown. this would result in ending the current certificate authority based system. – user2284570 Jul 04 '15 at 20:38
18

When unsure, you can also contact CERT: https://forms.cert.org/VulReport/

They have experience in dealing with even very serious security vulnerabilities, and are generally considered a trusted party. At least they can confirm that your assessment of the vulnerability is correct, and document your part in finding it.

While CERT generally advises you to contact the vendor yourself, for a big case like this I'm sure they would offer assistance.

jpa
  • 950
  • 6
  • 11
4

Ryan Sleevi has very good advice regarding this.

Before sounding off too many alarms, I would contact the Chromium Security Team as he has advised, just to make sure that you are not misunderstanding anything.

Have you checked your vulnerability against the CAB Forum Baseline Requirements to see if the execution of your vulnerability breaks those rules: https://cabforum.org/baseline-requirements-documents/?

For instance, I know of a issuance practice that seems to match up with your summary, but AFAIK is totally valid and not a vulnerability in the eyes of the CAB Forum. A certificate can be generated for a subdomain without having control over the root. I.e. you can get a certificate for test.google.com without having to demonstrate control over google.com.

Vincent L
  • 108
  • 5
1

Operating system and browser vendors might be a good place to report such a vulnerability to since they manage the root CA lists. Here are a few relevant links:

  • www.google.com/about/appsecurity/
  • www.mozilla.org/en-US/about/governance/policies/security-group/bugs/
  • www.apple.com/support/security/
  • technet.microsoft.com/en-us/security/ff852094.aspx
Gary Belvin
  • 61
  • 1
  • 3
1

I would recommend that you obtain documentation and demonstration of the vulnerability as you are aware of it. Ideally if you can have this verified entirely by a third party, who has been read in to the situation.

To avoid issues of integrity or vendor repudiation of the advice on the vulnerability against you, additional proof by demonstration/execution is necessary. Since we are taking a cert related, capturing a certificate chain demonstrating a the fault would be ideal. Of course any session captures that show the vuln in action is useful.

Without full disclosure I'm just guessing what proof you need anyways. Take the proof of exploit documentation and seed into publicly visible locations like GitHub, Pastebin, email lists. This locks in the inability to repudiate if your evidence is strong.

The remaining issue is identity and communication with the vendor and public. I won't bother disusing revelation of your personal identity, it is up to you. Communications, if you want to be hands on, and prepared to screw up or not act with experience in the case say the whole thing blows up or goes sideways, you can do the contact.

Alternatively seek representation, from either the community, EFF or at the very least your attorney. Someone to protect your interests is advisable and think carefully before accepting industry help from a businesses in its commercial capacity. I am sure the community here can recommend some choices on representation if you solicit such advice.

An entire book could be written on this set of topics, I've tried to keep it short and out of TLDR; territory.

Also on a side note, thank you for the time you have spent uncovering this potential vulnerability. It is badly needed.

jCisco
  • 121
  • 4
-2

You can also report it to "questions@cabforum.org" but realize that if the CA in question is a CA/B Forum member, they will also see it. However, so will all the other CA and Browser members. Another option is to report it to the CA Security Council, an organization of the 8 largest public SSL issuers in the world. This is an industry group that has an interest in upholding high standards for its members as well as promoting best practices among all CAs. The form is here: https://casecurity.org/contact-us/