On February 28, 2019 a CA Compliance bug was filed in the Mozilla NSS product that detailed a flaw where DarkMatter had mis-issued certificates having only 63 bits of entropy, instead of the required 64-bit serial number entropy.
See https://wiki.mozilla.org/CA/Incident_Dashboard for incidents related to CA Compliance and to crawl through any new or remaining incidents related to serial number entropy.
According to the CA Browser Forum Baseline Requirements, beginning September 30, 2016, “CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.” See https://cabforum.org/baseline-requirements-documents/
In DarkMatter’s case, the serial numbers were 64 bits, but because serial numbers must also be positive, the first bit was always 0 guaranteeing the serial number to only have 63 bits of randomness or entropy. The issue was not in anything intentional DarkMatter was doing, but rather in the EJBCA (https://ejbca.org/) software many CAs use. When the cause was discovered, a sense of urgency broke out across the CA community after millions of certificates across many CAs were discovered to have been mis-issued.
To date, most of the certificates have been revoked and replaced. This has caused an undue burden on many organizations worldwide. Large corporations, higher education institutes, and personal websites have all been affected.
The CA Browser Forum Baseline Requirements also state that “The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days.”
In the case of millions of mis-issued certificates, this rule is not scalable. Many CAs asked for an extension which was granted in most if not all cases. The 5-day rule makes sense for a single mis-issued certificate, but not at all for hundreds, thousands, and in this case millions of certificates. The CA Browser Forum should learn from this and introduce a new rule for larger scale noncompliance issues. Nothing was malicious here and no imminent security concerns were present. Money was lost and time was arguably wasted to “comply” with a non-security related incident.
Also worth noting is that it is possible that CAs had previously uncovered “possible” mis-issuance of certificates with less than the required 64-bit serial number entropy before the DarkMatter incident. It is highly likely that because of the scrutiny DarkMatter faced in its attempt to be trusted by Mozilla, that the CA and Browser community was scrutinizing certificates even more closely because of their reluctance to trust DarkMatter. It would be unfortunate if the community was willing to throw a wrench into the daily processes of numerous organizations worldwide just to try to block DarkMatter from being trusted. Again, it is possible that the 64-bit issue had already been brought into question previously, but not acted on until now.
With this said, it is our hope that progress will be made in separating security compliance with non-security related compliance to help improve the usability of a more secure web.
Leave a Reply