[lamps] Anomalous Certificate Issuances based on historic CAA records
Quirin Scheitle <scheitle@net.in.tum.de> Wed, 22 November 2017 23:50 UTC
Return-Path: <scheitle@net.in.tum.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772AF1200F1 for <spasm@ietfa.amsl.com>; Wed, 22 Nov 2017 15:50:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id va5Ro-UCwwqj for <spasm@ietfa.amsl.com>; Wed, 22 Nov 2017 15:50:18 -0800 (PST)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30BDF126B6E for <spasm@ietf.org>; Wed, 22 Nov 2017 15:50:17 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.net.in.tum.de (Postfix) with ESMTPSA id 9; Thu, 23 Nov 2017 00:50:04 +0100 (CET)
From: Quirin Scheitle <scheitle@net.in.tum.de>
Content-Type: multipart/signed; boundary="Apple-Mail=_9DEDBBCA-9669-43E6-BEF6-76FF13CD941E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 23 Nov 2017 00:50:04 +0100
Cc: public@cabforum.org, spasm@ietf.org
To: mozilla-dev-security-policy@lists.mozilla.org
Message-Id: <AC3ABE10-3ABB-4130-9B86-AF3611E13328@net.in.tum.de>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/3yx_a_rXrzElGp5qaEZDqgGtp4k>
Subject: [lamps] Anomalous Certificate Issuances based on historic CAA records
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 23:50:25 -0000
/* posting for primary discussion at Mozilla Dev Security Policy, copying CAB Public ML and SPASM@IETF */ Hi all, the CAA RFC includes an “evaluator” role, a third party than can use public DNS records and public certificates to surface anomalies in the issuance process. We have taken this role and analysed a set of certificates for a number of domains for which we happen to have measured CAA records *at issuance time*. We would like to share our results here for public discussion. We believe that this might help to further shape said “evaluator role”. (In which context and format should findings be shared? What level of detail and assurance is expected?). Furthermore, our results have surfaced some anomalies that might hint at underlying issues with CAA validation. We believe that uncovering and discussing unclear cases will help to sharpen our understanding as a community on how certain cases should be handled. In that light, I want to share the details of our scan below. We have found 18 anomalous certificates that can be assigned to 4 groups of possible root causes: 1) Mix of wildcard and non-wildcard DNS names in SAN Batch: https://misissued.com/batch/32/ Description: best confer https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/HtXR8S-1AAAJ 2) Cloudflare FreeSSL certificates issued by Comodo Batch: https://misissued.com/batch/30/ Description: We are not aware that Cloudflare and Comodo are affiliated, or that Comodo runs the DNS infrastructure of Cloudflare customers — so these certificates should be checked like any other? 3) Comodo not checking CAA records until Sep 12 [https://bugzilla.mozilla.org/show_bug.cgi?id=1398545] Batch: https://misissued.com/batch/29/ Description: Comodo did not validate CAA records in the early days, and the certificates in this batch might have been issued due to this anomaly. 4) Apparent non-evaluation of CAA records Batch: https://misissued.com/batch/33/ Description: These cases appear as pretty straight-forward that they should not have been issued, but there might be good explanations Please note that these categories may overlap. Please find the details below. To proceed with this as a community, I guess answers to the the following questions from the affected CAs [1] would be of interest: a) Was CAA checking bypassed for this issuance? If so, why? b) If CAA lookups were conducted, what response did you receive? Why did it permit issuance? [1] Thawte, Comodo, Certum,Camerfirma, GlobalSign I am also happy to file BugZilla bugs if desired. Kind regards Quirin ======== Certificate 1 - Group 1 ======== https://crt.sh/?id=215028491 X509v3 Subject Alternative Name: DNS:*.netservicesgroup.com DNS:netservicesgroup.com Issuer COMODO CA Limited DNS history (Certificate issued on Sep 20): 2017-09-18:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-18:netservicesgroup.com. 86400 IN CAA 0 issue ";" 2017-09-19:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-19:netservicesgroup.com. 86400 IN CAA 0 issue ";" 2017-09-20:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-20:netservicesgroup.com. 86400 IN CAA 0 issue “;" 2017-09-21:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-21:netservicesgroup.com. 86400 IN CAA 0 issue ";" 2017-09-23:netservicesgroup.com. 86400 IN CAA 0 issuewild “comodoca.com" 2017-09-23:netservicesgroup.com. 86400 IN CAA 0 issue “;" ======== Certificate 2 - Group 1 ======= https://crt.sh/?id=211113116 X509v3 Subject Alternative Name: DNS:*.trnava-vuc.sk DNS:trnava-vuc.sk Issuer: thawte, Inc. DNS history (Certificate issued on Sep 13) 2017-09-11:trnava-vuc.sk. 86400 IN CAA 0 issuewild "symantec.com" 2017-09-11:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-12:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-12:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-13:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-13:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-14:trnava-vuc.sk. 86360 IN CAA 0 issuewild "thawte.com" 2017-09-14:trnava-vuc.sk. 86360 IN CAA 0 issue ";" 2017-09-15:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-15:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-16:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-16:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-17:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-17:trnava-vuc.sk. 86400 IN CAA 0 issue ";" ======== Certificate 3 - Group 1 ======== https://crt.sh/?id=226175601 X509v3 Subject Alternative Name: DNS:*.drillisch-online.de DNS:drillisch-online.de Issuer: COMODO CA Limited DNS history (Certificate issued on Sep 29): 2017-09-28:drillisch-online.de. 3600 IN CAA 0 issuewild "globalsign.com" 2017-09-28:drillisch-online.de. 3600 IN CAA 0 issuewild "comodoca.com" 2017-09-28:drillisch-online.de. 3600 IN CAA 0 issue ";" 2017-09-29:drillisch-online.de. 3600 IN CAA 0 issuewild "comodoca.com" 2017-09-29:drillisch-online.de. 3600 IN CAA 0 issue ";" 2017-09-30:drillisch-online.de. 3600 IN CAA 0 issuewild "comodoca.com" 2017-09-30:drillisch-online.de. 3600 IN CAA 0 issue ";" ======= Certificate 4 - Group 1 ======= https://crt.sh/?id=221763552 X509v3 Subject Alternative Name: DNS:*.uhlhosting.ch DNS:uhlhosting.ch Issuer: Comodo DNS history (Certificate issued on Sep 29): 2017-09-27: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com" 2017-09-27: uhlhosting.ch. 14400 IN CAA 0 issue “;” 2017-09-28: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com” 2017-09-28: uhlhosting.ch. 14400 IN CAA 0 issue “;” 2017-09-29: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com” 2017-09-29: uhlhosting.ch. 14400 IN CAA 0 issue “;” 2017-09-30: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com" 2017-09-30: uhlhosting.ch. 14400 IN CAA 0 issue “;” ======== Certificate 5 - Group 1 ======== https://crt.sh/?id=211729608 X509v3 Subject Alternative Name: DNS:*.provida.net DNS:provida.net Issuer: COMODO CA Limited DNS history (Certificate issued on Sep 15): 2017-09-13:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-13:provida.net. 600 IN CAA 0 issuewild "symantec.com" 2017-09-13:provida.net. 600 IN CAA 0 issue ";" 2017-09-14:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-14:provida.net. 600 IN CAA 0 issuewild “symantec.com" 2017-09-14:provida.net. 600 IN CAA 0 issue “;" 2017-09-15:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-15:provida.net. 600 IN CAA 0 issuewild "symantec.com" 2017-09-15:provida.net. 600 IN CAA 0 issue ";" 2017-09-16:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-16:provida.net. 600 IN CAA 0 issuewild “symantec.com" 2017-09-16:provida.net. 600 IN CAA 0 issue “;" 2017-09-17:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-17:provida.net. 600 IN CAA 0 issuewild "symantec.com" 2017-09-17:provida.net. 600 IN CAA 0 issue “;” ======= Certificate 6 - Group 1 ======= https://crt.sh/?id=223356078 X509v3 Subject Alternative Name: DNS:*.cyberbajt.pl DNS:cyberbajt.pl Issuer: Unizeto Technologies S.A. (-> Certum) DNS history (Certificate issued on Oct 1): 2017-09-27:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-09-27:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-09-28:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-09-28:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-09-29:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-09-29:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-09-30:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-09-30:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-10-01:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-10-01:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-10-02:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-10-02:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-10-03:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-10-03:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" 2017-10-04:cyberbajt.pl. 86400 IN CAA 0 issue ";" 2017-10-04:cyberbajt.pl. 86400 IN CAA 0 issuewild "certum.pl" ======= Certificate 7 - Group 1 ====== https://crt.sh/?id=250171539 X509v3 Subject Alternative Name: DNS:*.s5.nl DNS:s5.nl Issuer: Comodo DNS history (Issued Nov 06): 2017-11-03:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-03:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-04:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-04:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-05:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-05:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-06:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-06:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-07:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-07:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-08:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-08:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-09:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-09:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" ======= Certificate 8 - Group 1 ====== https://crt.sh/?id=254174871 X509v3 Subject Alternative Name: DNS:*.invinsec.com DNS:invinsec.com Issuer: GlobalSign (AlphaSSL) DNS history (Issued Nov 12 00:57): 2017-11-10:invinsec.com. 300 IN CAA 0 issue "digicert.com" 2017-11-10:invinsec.com. 300 IN CAA 0 issue "letsencrypt.org" 2017-11-10:invinsec.com. 300 IN CAA 0 issuewild ";" 2017-11-11:invinsec.com. 300 IN CAA 0 issue "digicert.com" 2017-11-11:invinsec.com. 300 IN CAA 0 issue "letsencrypt.org" 2017-11-11:invinsec.com. 300 IN CAA 0 issuewild "globalsign.com" 2017-11-12:invinsec.com. 300 IN CAA 0 issue "digicert.com" 2017-11-12:invinsec.com. 300 IN CAA 0 issue "letsencrypt.org" 2017-11-12:invinsec.com. 300 IN CAA 0 issuewild "globalsign.com" 2017-11-13:invinsec.com. 300 IN CAA 0 issue "digicert.com" 2017-11-13:invinsec.com. 300 IN CAA 0 issue "letsencrypt.org" 2017-11-13:invinsec.com. 300 IN CAA 0 issuewild "globalsign.com" 2017-11-14:invinsec.com. 300 IN CAA 0 issue "digicert.com" 2017-11-14:invinsec.com. 300 IN CAA 0 issue "letsencrypt.org" 2017-11-14:invinsec.com. 300 IN CAA 0 issuewild “globalsign.com" ======= Certificate 9 - Group 1 ====== https://crt.sh/?id=261922875 X509v3 Subject Alternative Name: DNS:*.imagindata.com DNS:imagindata.com Issuer: Comodo DNS history (Issued Oct 14): 2017-10-12:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-12:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-13:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-13:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-14:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-14:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-15:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-15:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-16:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-16:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com ====== Certificate 10 - Group 1 ========= https://crt.sh/?id=235359928 X509v3 Subject Alternative Name: DNS:*.gbase.com DNS:gbase.com Issuer: Comodo DNS history (Issued Oct 17): 2017-10-15:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-15:gbase.com. 432000 IN CAA 0 issuewild "comodoca.com" 2017-10-16:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-16:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com" 2017-10-17:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-17:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com" 2017-10-18:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-18:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com" 2017-10-19:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-19:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com” ======= Certificate 11 - Group 2, Group 3 ======= https://crt.sh/?id=206166802 X509v3 Subject Alternative Name: DNS:sni242586.cloudflaressl.com … (way more DNS names...) DNS:reed.systems DNS:*.reed.systems … (way more DNS names…) Issuer: Comodo DNS history (Certificate issued on Sep 8): 2017-09-03:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-04:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-05:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-06:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-07:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-08:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-09:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-10:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-11:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-12:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-13:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-14:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-15:reed.systems. 300 IN CAA 0 issue "letsencrypt.org" ======= Certificate 12, Group 2, Group 3 ====== https://crt.sh/?id=207953208 X509v3 Subject Alternative Name: DNS:sni89771.cloudflaressl.com … (way more DNS names…) DNS:*.ficud.international DNS:ficud.international DNS:*ficud.academy DNS:ficud.academy DNS:*ficud.info DNS:ficud.info … (way more DNS names…) Issuer: Comodo DNS history (Certificate issued on Sep 12): 2017-09-06:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-06:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-07:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-07:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-08:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-08:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-09:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-09:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-10:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-10:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-11:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-11:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-12:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-12:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-13:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-13:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-14:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-14:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-15:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-15:ficud.international. 300 IN CAA 0 issue "symantec.com" 2017-09-16:ficud.international. 300 IN CAA 0 issue "letsencrypt.org" 2017-09-16:ficud.international. 300 IN CAA 0 issue "symantec.com" ficud.academy and ficud.info have the same DNS history. ======= Certificate 13 - Group 3 ======== https://crt.sh/?id=246909989 X509v3 Subject Alternative Name: DNS:southcentralcompany-rewards.com … Issuer: cPanel (-> Comodo) DNS history (Certificate issued on Sep 10): 2017-09-05:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-06:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-07:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-08:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-09:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-10:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-11:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-12:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-13:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-14:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-15:southcentralcompany-rewards.com. 60 IN CAA 0 issue "symantec.com" ======== Certificate 14 - Group 3 ======= https://crt.sh/?id=261112312 X509v3 Subject Alternative Name: DNS:southcentralcompany-rewards.com ... Issuer: cPanel (-> Comodo) DNS history (Certificate issued on Sep 10): 2017-09-05:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-06:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-07:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-08:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-09:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-10:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-11:homeinsteadrewards.com. 59 IN CAA 0 issue "symantec.com" 2017-09-12:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-13:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-14:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" 2017-09-15:homeinsteadrewards.com. 60 IN CAA 0 issue "symantec.com" ====== Certificate 15 - Group 3 ====== (Please note this was issued past Sep 12) https://crt.sh/?id=211648524 X509v3 Subject Alternative Name: DNS:www.panphuree.com DNS:panphuree.com Issuer: Comodo DNS history (Certificate issued on Sep 14): 2017-09-12:panphuree.com. 14400 IN CAA 0 issue ";" 2017-09-13:panphuree.com. 14400 IN CAA 0 issue ";" 2017-09-14:panphuree.com. 14400 IN CAA 0 issue ";" 2017-09-15:panphuree.com. 14368 IN CAA 0 issue ";" 2017-09-16:panphuree.com. 14400 IN CAA 0 issue ";" 2017-09-17:panphuree.com. 14400 IN CAA 0 issue ";" 2017-09-18:panphuree.com. 14400 IN CAA 0 issue ";" ======= Certificate 16 - Group 4 ======= https://crt.sh/?id=257856701 X509v3 Subject Alternative Name: ... DNS:am-hosting.de DNS:www.am-hosting.de DNS:*.am-hosting.de … Issuer: AC CAMERFIRMA DNS history (Issued: Nov 16 14:28 GMT) 2017-11-12:am-hosting.de. 43200 IN CAA 0 issue "letsencrypt.org" 2017-11-13:am-hosting.de. 43200 IN CAA 0 issue "letsencrypt.org" 2017-11-14:am-hosting.de. 43200 IN CAA 0 issue "letsencrypt.org" 2017-11-15:am-hosting.de. 43200 IN CAA 0 issue "letsencrypt.org" 2017-11-16:am-hosting.de. 43200 IN CAA 0 issue "letsencrypt.org" 2017-11-17:am-hosting.de. 43200 IN CAA 0 issue "letsencrypt.org" 2017-11-18:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” Zoomed (UTC timestamps) 2017-11-15-18:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-15-22:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-15-02:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-16-06:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-16-10:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-16-14:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” Issued: Nov 16 14:28 GMT 2017-11-16-18:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-16-22:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-17-02:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” 2017-11-17-06:00:am-hosting.de. 43200 IN CAA 0 issue “letsencrypt.org” ======= Certificate 17 - Group 4 ======= https://crt.sh/?id=255113449 X509v3 Subject Alternative Name: DNS:*.bankvrn.ru DNS:bankvrn.ru Issuer: Comodo DNS history(Issued Sep 28) 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "geotrust.com" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "letsencrypt.org" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "thawte.com" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "wosign.com" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issuewild “;" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue "letsencrypt.org" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue "wosign.com" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue "thawte.com" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue “geotrust.com" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issuewild ";" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "thawte.com" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "letsencrypt.org" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "geotrust.com" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "wosign.com" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issuewild ";" ======== Certificate 18 - Group 4 ======= https://crt.sh/?id=252132456 X509v3 Subject Alternative Name: DNS:mc21colombia.com DNS:www.mc21colombia.com Issuer: cPanel (-> Comodo) DNS history (Issued Oct 17): 2017-10-14:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" 2017-10-15:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" 2017-10-17:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" 2017-10-18:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-18:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-19:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-19:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-20:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-20:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-21:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-21:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-22:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-22:mc21colombia.com. 300 IN CAA 0 issue “digicert.com" — Quirin Scheitle Web: https://www.net.in.tum.de/~scheitle/ Technische Universität München Room: 03.05.037 Department of Computer Science Tel: +49.89.289.18012 Network Architectures and Services
- [lamps] Anomalous Certificate Issuances based on … Quirin Scheitle