Wow, one of the Certificate Transparency logs (CT2, operated by Digicert) had its signing key compromised via this Salt RCE: https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM …https://twitter.com/USCERT_gov/status/1256361153783115779 …
-
Show this thread
-
Replying to @arkadiyt @0xdabbad00
So does this mean digicert runs saltstack infra on the public internet?
2 replies 0 retweets 6 likes -
And doesn't use an HSM.
3 replies 0 retweets 4 likes
There's no requirement for CT logs to use HSMs, and I don't think any do. CT is verifiable, so any misuse of the key can, at least in theory, be detected and lead to the removal of the log from the ecosystem.
5:25 PM - 3 May 2020
0 replies
0 retweets
4 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.