Yesterday I was pointed to a directory on a website that appeared to contain certificates and private keys for the Safe Deposit Bank of Norway.pic.twitter.com/6wixbRHA6c
This is the legacy version of twitter.com. We will be shutting it down on June 1, 2020. Please switch to a supported browser, or disable the extension which masks your browser. You can see a list of supported browsers in our Help Center.
Vulnerability Analyst at the CERT/CC. My thoughts are my own, not my employer's.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
Yesterday I was pointed to a directory on a website that appeared to contain certificates and private keys for the Safe Deposit Bank of Norway.pic.twitter.com/6wixbRHA6c
The folder did indeed contain their EV certificate and the associated private key. https://pastebin.com/Uv6mrNSt pic.twitter.com/WAIgHgAVnl
Of course the immediate course of action was to notify the site and they only had one email address available online to do that.pic.twitter.com/bummqhCYxC
I still haven't received any response from the site but I also notified @digicert, who were the issuing CA. They most likely have a point of contact at the organisation in question and also need to revoke the cert now the key is compromised.pic.twitter.com/W5Z7vM71fy
DigiCert were quick to respond and followed up asking for more information.pic.twitter.com/7mxQoKf4EO
would be good to share the incident on mozilla-dev-security-policy
I have about 100 different private keys that were released to the public in Android apps and were also used to obtain at least 1 certificate from a CA participating in the CT project. Would it be appropriate to contact each of the respective CAs to have the certificates revoked?
yes, absolutely. Please do. And send a report to the mozilla list. (Also "participating in the CT project" is these days practically every CA in the Web PKI - otherwise Chrome won't like your certs)
Before I reinvent any wheels, are there already any tools that can help automate the reporting of compromised keys to respective CAs? That is, given a key present in either https://crt.sh/?q= (certificate hash) https://crt.sh/?spkisha256= (key hash) show the proper contact info.
e.g., Given a list of http://crt.sh URIs like this, what's the path of least resistance to getting them revoked? I suppose scraping the http://crt.sh website wouldn't be too tricky. I'm just trying to prevent duplication of effort, though.pic.twitter.com/wcO43FbE3Y
a) check if already revoked or expired (obvious, just sayin), b) figure out what the root ca is (no easy automation I'm aware of), c) https://ccadb-public.secure.force.com/mozilla/AllProblemReportingMechanismsReport … has email contacts, d) if it doesn't work inform mozilla via a bugreport
special case let's encrypt: there's an acme feature to revoke yourself if you have the private key.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.