Bug 1961406 Opened 19 hours ago Updated 3 hours ago https://bugzilla.mozilla.org/show_bug.cgi?id=1961406 Cert revoked: https://crt.sh/?id=17926238129&opt=ocsp Thanks to Erik at security.nl : https://www.security.nl/posting/884827/Domain Validation en OCSP
Preliminary Incident Report is published. See above mentioned Bugzilla thread for the Summary: https://bugzilla.mozilla.org/show_bug.cgi?id=1961406 See postings by Rebecca. Read there more for the details!!! Further down in that thread the other 10 certificates (that were mis-issued and have now been revoked) were given. === One more quote:
Article in Dutch at security.nl : SSL.com verstrekte door bug tls-certificaat clouddienst Alibaba aan onderzoeker https://www.security.nl/posting/885...rtificaat clouddienst Alibaba aan onderzoeker
Another link to an English article about the issue: https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/
The Full Incident Report has not yet been published. At least I don't see it yet mentioned in that Bugzilla thread. But, of course, it is not yet 02 May 2025. I do trust that Rebecca will post there. I'm just only posting because she posted there "SSL.com will post our Full Incident Report on or before 2025-05-02." So, we have to be patient.
Full Incident Report Posted by Rebecca about two hours ago in the Bugzilla thread: https://bugzilla.mozilla.org/show_bug.cgi?id=1961406 Long post by Rebecca, with details, timeline and also details of the certs that were involved. Too much to quote, but in particular the part Relevant policies and the part Root Cause Analysis are important! Read there more.
