Hacker News new | past | comments | ask | show | jobs | submit login
Telekom Security: Revocation delay for TLS certificates (bugzilla.mozilla.org)
54 points by MaKey 4 months ago | hide | past | favorite | 15 comments



The title seems incorrect, per Comment#10 https://bugzilla.mozilla.org/show_bug.cgi?id=1877388#c10 all missued certificates were eventually revoked

> 2024-01-22 > 08:25 The error message “ERROR: basicConstraints MAY appear in the certificate, and when it is included MUST be marked as critical “ in crt.sh was found in our weekly checks

> 2024-02-05 > 13:00 Videoconference with the management of the Trust Center with the decision, to revoke all certificates that have not yet been revoked the next day > 13:25 Information to customers about the final revocation of all certificates the next day

> 2024-06-02 > 15:41 All affected certificates are replaced and revoked.

Given the comment was posted 2024-02-09, the last date is probably a typo of 2024-02-06, aka within 16 days.


Thanks, you are correct. I missed that part in between the discussion. Unfortunately I can't change the title anymore.

@dang can you change it to "Deutsche Telekom issued invalid certificates, is unwilling to improve processes"?


It's probably best to follow the HN guidelines (https://news.ycombinator.com/newsguidelines.html) and use the original title. I've done that now. (The submitted title, for those who like to keep track, was "Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months".)

It's certainly fine to share what you think is important about an article, but the best way to do that is by adding a comment to the thread.


I agree wholeheartedly. Thanks a lot!


Oh, well, having DTAG removed from the Firefox and Chrome/Windows root stores would be... oddly satisfying?

I know that in the US, ISP-wise, mostly Comcast has a bad reputation, but in the EU and from a business perspective, Deutsche Telekom is also not, eh, universally liked...


Having read through the entire thread twice now, I cannot shake the impression that Telekom is persistently trying to avoid implementing any meaningful mitigation procedures themselves. Across the entire thread they communicate under the assumption that

- they didn't make any mistake in delaying the revocation,

- they should be able (given enough insistence from their customers) to do so again at their own discretion in the future, and

- their inadequate handling of the incident and their apparent laissez-faire approach to the requirements for a CA should be accepted and deemed satisfactory by everyone else.


Welcome to german quasi-government-agencies.


Read through the whole communication and have to say the Deutsche Telekom really failed to communicate clearly here. Most people who have ever worked in IT will fuck up some cert during some point in their career — but you have to not do that when you are expecting to earn that level of trust. And when you do fuck up, it really matters how decidedly and clearly you deal with that.

So first they don't produce any explaination, then they are on summer vacation? Truly WTF? If anything Deutsche Telekom has demonstrated that they are not deserving of the trust given.


What, didn't they revoke the rest later the same week?


Yes, it seems like they revoked the rest on 2024-02-06. I missed that. However, they seem to be absolutely unwilling to improve their processes.


Then they must be removed.

It's also one of the reasons why I find it so annoying that I can't disable CAs in iOS and Android trust stores manually.


It appears disabling trust roots is possible on my samsung Android at least.


So assume they're removed.

As it happens, one of the unwilling customers is the police force where I live. I can tell you what the police would have answered: "We're supposed to take down the police servers outside our normal schedule for a problem that does not affect us? Are you serious?" How do you suggest that the next CA should answer?


Easy answer. If you are not comfortable with the basic requirements that each and every CA in the PKI is required to follow, you should host your own PKI and manage trust yourself as well.


> As it happens, one of the unwilling customers is the police force where I live. I can tell you what the police would have answered: "We're supposed to take down the police servers outside our normal schedule for a problem that does not affect us? Are you serious?" How do you suggest that the next CA should answer?

Should have picked a CA that can follow fundamental rules that apply to every CA that wishes to be trusted, shouldn't have fucked around and found out,




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: