search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership

Vulnerability Note VU#591120

Original Release Date: 2015-03-27 | Last Revised: 2015-04-07

Overview

Multiple SSL certificate authorities may issue certificates to a customer based solely on the control of certain email addresses. This may allow an attacker to obtain a valid SSL certificate to perform HTTPS spoofing without generating a warning in the client software.

Description

When a client such as a web browser accesses a resource using HTTPS, which subsequently uses SSL or TLS for encryption and authentication, the client is supposed to verify the certificate provided by the server. In particular, the client verifies that the certificate was issued by a root certificate authority (CA) that is trusted. This trust relationship relies upon the belief that the root certificate authorities have sufficiently verified that the individual requesting a certificate is doing so on behalf of the domain owner.

Many root CAs use the concept of "domain-authenticated" or similarly-named SSL certificates. These certificates may be issued with minimal proof of domain ownership. In some cases, an SSL certificate is provided simply based on the ability to use certain email addresses at the domain in question. According to RFC2142, the email address that should be used for DNS-related services should be hostmaster. According to the Mozilla CA Certificate Inclusion Policy as well as the CA/Browser Forum baseline requirements documents, the control of the addresses admin, administrator, webmaster, hostmaster, and postmaster can be used to prove domain ownership. However, some root CAs allow other email addresses to serve as proof of domain ownership. For example, a user who operates the email address ssladministrator@example.com may be able to obtain an SSL certificate for example.com.

Aside from EV certificates, the browser displays no difference between domain-authenticated certificates and certificates that were obtained through additional validation. For example, GeoCerts offers both domain-authenticated certificates and fully-authenticated certificates. However, from a client (e.g. web browser) perspective, there is no difference at all between the two certificates.

Domains of sites that are used for email purposes are at increased risk. If a user can register the email address of any one of the available addresses accepted by a single root CA for the purpose of domain-authenticated SSL certificates, then that user may be able to purchase a valid SSL certificate for that domain. We are unaware of a comprehensive list of email addresses accepted for domain-authenticated SSL certificates, but here is the policy used by Comodo. SSL resellers such as BuyHTTP list additional email addresses that can be used for email authentication for SSL certificate purchases.

Update: Upon further investigation, it appears that the SSL resellers that list email addresses outside of the five addresses listed in the CA/Browser BR document may be listing out-of-date guidance. In particular, that those email aliases may have been accepted by their upstream root CAs in the past for issuing certificates. However, we cannot rule out the possibilities that an attacker has used such an email to obtain a fraudulent certificate in the past using such an email address, or that there is at least one root CA that will currently accept a non-whitelisted email address as domain ownership validation.

Impact

An attacker may be able to obtain a certificate for a domain that somebody else owns. With such a certificate, the attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering client certificate warnings.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Block access to sensitive accounts

Sites that provide email accounts to users should restrict the ability to create email accounts that are trusted by root CAs. At the very least, users should not be able to create the email addresses for admin, administrator, webmaster, hostmaster, and postmaster. BuyHTTP lists those addresses as well as root, ssladmin, sysadmin, info, is, it, mis, ssladministrator, and sslwebmaster. If users have already created accounts that match up to these special names, those accounts should be disabled. Failure to do so can result in a user being able to obtain an SSL certificate for the domain in question.

Note that the above list of email addresses is not necessarily comprehensive. There may be at least one root CA that supports at least one additional email address as proof of domain ownership.

Vendor Information

The vendors listed as "affected" here are CAs that provide email-authenticated domain-validated SSL certificates. Although the CA/Browser Forum baseline requirements documents list email authentication using predefined aliases as a valid form of domain validation (section 11.1.1), CERT's stance is that such email authentication is not sufficient proof of domain ownership. Email providers that may be affected by fraudulent acquisition of SSL certificates by email are not listed here.

591120
 
Affected   Unknown   Unaffected

Actalis

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CERTUM

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

COMODO Security Solutions, Inc.

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

ComSign

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

GeoTrust

Updated:  March 27, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

GlobalSign

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

GoDaddy

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

OATI

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

QuoVadis

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

RapidSSL

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

StartCom Ltd.

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

SwissSign AG

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Thawte

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Trustwave

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

WoSign CA Limited

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

e-tugra

Updated:  March 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

AS Sertifitseerimiskeskus

Updated:  March 31, 2015

Statement Date:   March 31, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We check the existence of the applicant and ownership of the domain ourselves
from publicly available registries and in addition request signed application
from an authorised representative of the applicant. The issuance always
involves human interaction at our side. We do not have resellers for TLS
certificates.

Vendor References

CA Disig a.s.

Updated:  April 01, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

If you were read our CPS completely you were find that there is no possibility
to issue SSL/TLS certificate without face to face meeting with applicant
(domain owner) or person who is authorized (via power of attorney) by the
domain owner (CPS CA Disig version 4.7 article 4.1.2.1 last bullet). There is
also domain owner validation in place (CPS CA Disig version 4.7 article
4.1.2.2. and article 3.1.9).

Vendor References

Cybertrust Japan

Updated:  April 07, 2015

Statement Date:   April 07, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

DigiCert

Updated:  April 01, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

DigiCert does not issue domain-only validated certificates. Instead, we believe the extra checks required by both OV and EV provide the extra assurances necessary to confirm issuance authorization. That's why DigiCert only issues OV and EV certificates. The out-of-bands communication required with these two levels of assurance assures that the organization controlling the domain actually authorized the issuance and prevents hijacked email addresses. In all cases, DigiCert validates the identity of a third party, that the identity has control over the domain, and that the issuance was authorized.

Entrust

Updated:  March 30, 2015

Statement Date:   March 30, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

When validating control or right to use a domain, we do not provide a list of
emails to the applicant.

In all cases, we validate the following:

·         Identity name with a third party
·         Identity has ownership or control of the domain
·         Authorization to issue the domain where contact with the applicant is
done with a communication method which has been confirmed by a third party

Vendor References

IdenTrust

Updated:  April 01, 2015

Statement Date:   April 01, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

If you read our CPS, located at: 
https://secure.identrust.com/certificates/policy/ts/identrust_trustid_cps_v2.3_2
0140109.pdf, you will find that Section 3.2, defines what we currently do.  In
a nutshell:

 

·         Verification of the Organization based on sections 3.2.2 and 3.2.2.1;

·         Verification of the PKI Sponsor’s Organization Affiliation based on
section 3.2.2.2;

·         Verification of an Certificate request based on section 3.2.6;

·         Authentication of a Device identity based on section 3.2.7;

·         Verification against high risk and denied request lists based on
section 3.2.7.1;

·         Verification of the authorization by Domain Name Registrant based on
section 3.2.7.2

·         Verification of DBA/Tradename based on section 3.2.7.3;

·         Verification of country code based on section 3.2.7.4;

·         Verification of control over entire namespace delimited by the FQDN
of Wildcard Certificate on section 3.2.7.6; and

·         Verification of email based on section 3.2.5**

 

Our process is multi-layered and the resulting certificate is the reflection of
passing all the steps.  In the particular topic of domain ownership, IdenTrust
verifies the ownership by introducing the verification by an IdenTrust employee
of information provided based on WHOis records.  In exceptional cases,
IdenTrust request practical demonstration of the control over the Domain Name.

JIPDEC

Updated:  March 30, 2015

Statement Date:   March 31, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Microsoft Corporation

Updated:  March 30, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SECOM Trust Systems Co. Ltd.

Updated:  April 01, 2015

Statement Date:   April 01, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

WE SecomTrust Systems do not issue DV certificate.

We authenticate not only the owner of the domain but also the existence of the
organization.

Taiwan-CA

Updated:  April 02, 2015

Statement Date:   April 02, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Trend Micro

Updated:  April 07, 2015

Statement Date:   April 04, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please note that we believe that the Trend Micro SSL product is not susceptible
to this supposed vulnerability. We do not provide or support Domain Validated
(DV) certificates from our product. We do leverage the domain based validation
methodology for the management of domains within customer accounts but
customers must have already passed either Organization Validation (OV) or
Extended Validation (EV) vetting before they can use their accounts. Both OV
and EV vetting require the manual validation of a customer’s  corporate
information and account administrator. In addition, Trend Micro only uses the
specific email addresses allowed by the CA-Browser Forum Baseline Requirements
Section 11.1.1 for confirmation of control of domains, which is the same method
used by all other Certification Authorities and browsers worldwide.  All our
customers must also have a subscription account requiring an extended
relationship with us removing the possibility of any 𠆍rive by’ transactional
certificate issuances.

Vendor References

A-Trust

Updated:  March 27, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

ACCV

Updated:  March 27, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

AGESIC

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ANCERT

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ANSSI

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AOL

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ARGE Daten

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AffirmTrust

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Athens Exchange

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Atos

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Autoridad de Certificacion Firmaprofesional

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Baltimore CyberTrust

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Buypass

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CATCert

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CNNIC

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Camerfirma

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certicamara S.A.

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CertifyID

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certigna

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certinomis

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certipost

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certplus

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

China Financial

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Chunghwa Telecom

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Colegio de Registradores

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-TRUST

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DATEV eG

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Deutsche Telekom

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dhimyotis

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Digidentity

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

E-Certchile

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EDICOM

Updated:  March 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Echoworx

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Equifax

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FNMT

Updated:  March 26, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Facebook

Notified:  March 31, 2015 Updated:  March 31, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    GRCA

    Updated:  March 25, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    GTE Corporation

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Government of Japan, Ministry of Internal Affairs and Communications

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    HALCOM d.d.

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    HARICA

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    Hongkong Post

    Updated:  March 25, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    I.CA Prvni certifikani autorita a.s.

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Image-X Enterprises

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    InfoNotary

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Izenpe S.A.

    Updated:  March 25, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    JCSI

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    KISA

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    KMD

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Keynectis

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    LAWtrust

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    LGPKI

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    LuxTrust

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Microsec Ltd.

    Updated:  March 26, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Mozilla

    Notified:  March 27, 2015 Updated:  March 27, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      NLB Group

      Updated:  March 26, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Natixis

      Updated:  March 26, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      NetLock Ltd.

      Updated:  March 26, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Netrust

      Updated:  March 26, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Network Solutions, Inc.

      Updated:  March 26, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      OpenTrust

      Updated:  March 26, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Opera

      Notified:  March 27, 2015 Updated:  March 27, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Orange Polska

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        PKIoverheid

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        PROCERT

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Personal ID LTD

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Post.Trust

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        PostSignum

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        RedAbogacia

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        S-TRUST

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        SG Trust Services

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        SHECA

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        SSC

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Serasa

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Sistema Nacional de Certificacion Electronica

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Sonera

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Staat der Nederlanden

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Starfield Technologies

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Swisscom

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Symantec

        Updated:  March 25, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        T-Systems International GmbH

        Updated:  March 25, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        TDC OCES

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        TMCA

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        TeliaSonera

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Trustis Limited

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        TurkTrust

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Unizeto Certum

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Unizeto Certum

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        VAS

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Verisign

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Verizon

        Updated:  March 25, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Visa

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Web.com

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Wells Fargo Bank

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        certSIGN

        Updated:  March 25, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        e-Guven Elektronik Bilgi Guvenligi A.S.

        Updated:  March 25, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        ipsCA

        Updated:  March 26, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        View all 127 vendors View less vendors


        CVSS Metrics

        Group Score Vector
        Base 6.4 AV:A/AC:M/Au:N/C:C/I:P/A:N
        Temporal 6.4 E:H/RL:U/RC:C
        Environmental 6.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

        References

        Acknowledgements

        This document was written by Will Dormann.

        Other Information

        CVE IDs: None
        Date Public: 2008-12-31
        Date First Published: 2015-03-27
        Date Last Updated: 2015-04-07 13:59 UTC
        Document Revision: 99

        Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.