Telekom Security: Revocation delay for TLS certificates

terom · 2024-07-19T16:12:47 1721405567

The title seems incorrect, per Comment#10 https://bugzilla.mozilla.org/show_bug.cgi?id=1877388#c10 all missued certificates were eventually revoked

> 2024-01-22 > 08:25 The error message “ERROR: basicConstraints MAY appear in the certificate, and when it is included MUST be marked as critical “ in crt.sh was found in our weekly checks

> 2024-02-05 > 13:00 Videoconference with the management of the Trust Center with the decision, to revoke all certificates that have not yet been revoked the next day > 13:25 Information to customers about the final revocation of all certificates the next day

> 2024-06-02 > 15:41 All affected certificates are replaced and revoked.

Given the comment was posted 2024-02-09, the last date is probably a typo of 2024-02-06, aka within 16 days.

MaKey · 2024-07-19T18:31:36 1721413896

Thanks, you are correct. I missed that part in between the discussion. Unfortunately I can't change the title anymore.

@dang can you change it to "Deutsche Telekom issued invalid certificates, is unwilling to improve processes"?

dang · 2024-07-19T20:03:39 1721419419

It's probably best to follow the HN guidelines (https://news.ycombinator.com/newsguidelines.html) and use the original title. I've done that now. (The submitted title, for those who like to keep track, was "Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months".)

It's certainly fine to share what you think is important about an article, but the best way to do that is by adding a comment to the thread.

MaKey · 2024-07-19T21:00:19 1721422819

I agree wholeheartedly. Thanks a lot!

PreInternet01 · 2024-07-19T16:10:13 1721405413

Oh, well, having DTAG removed from the Firefox and Chrome/Windows root stores would be... oddly satisfying?

I know that in the US, ISP-wise, mostly Comcast has a bad reputation, but in the EU and from a business perspective, Deutsche Telekom is also not, eh, universally liked...

Sinescape · 2024-07-19T17:21:14 1721409674

Having read through the entire thread twice now, I cannot shake the impression that Telekom is persistently trying to avoid implementing any meaningful mitigation procedures themselves. Across the entire thread they communicate under the assumption that

- they didn't make any mistake in delaying the revocation,

- they should be able (given enough insistence from their customers) to do so again at their own discretion in the future, and

- their inadequate handling of the incident and their apparent laissez-faire approach to the requirements for a CA should be accepted and deemed satisfactory by everyone else.

asimops · 2024-07-22T20:02:33 1721678553

Welcome to german quasi-government-agencies.

atoav · 2024-07-19T16:27:24 1721406444

Read through the whole communication and have to say the Deutsche Telekom really failed to communicate clearly here. Most people who have ever worked in IT will fuck up some cert during some point in their career — but you have to not do that when you are expecting to earn that level of trust. And when you do fuck up, it really matters how decidedly and clearly you deal with that.

So first they don't produce any explaination, then they are on summer vacation? Truly WTF? If anything Deutsche Telekom has demonstrated that they are not deserving of the trust given.

Arnt · 2024-07-19T15:50:18 1721404218

What, didn't they revoke the rest later the same week?

MaKey · 2024-07-19T18:34:09 1721414049

Yes, it seems like they revoked the rest on 2024-02-06. I missed that. However, they seem to be absolutely unwilling to improve their processes.

Avamander · 2024-07-20T11:46:53 1721476013

Then they must be removed.

It's also one of the reasons why I find it so annoying that I can't disable CAs in iOS and Android trust stores manually.

ysleepy · 2024-07-20T14:25:03 1721485503

It appears disabling trust roots is possible on my samsung Android at least.

Arnt · 2024-07-20T17:04:57 1721495097

So assume they're removed.

As it happens, one of the unwilling customers is the police force where I live. I can tell you what the police would have answered: "We're supposed to take down the police servers outside our normal schedule for a problem that does not affect us? Are you serious?" How do you suggest that the next CA should answer?

asimops · 2024-07-22T20:06:53 1721678813

Easy answer. If you are not comfortable with the basic requirements that each and every CA in the PKI is required to follow, you should host your own PKI and manage trust yourself as well.

Avamander · 2024-07-20T19:09:24 1721502564

> As it happens, one of the unwilling customers is the police force where I live. I can tell you what the police would have answered: "We're supposed to take down the police servers outside our normal schedule for a problem that does not affect us? Are you serious?" How do you suggest that the next CA should answer?

Should have picked a CA that can follow fundamental rules that apply to every CA that wishes to be trusted, shouldn't have fucked around and found out,