For a two hour window yesterday we saw "ocsp.entrust.net" resolving to a CNAME of "ocsp.entrust.net.edgagekey.net" rather than the usual "ocsp.entrust.net.edgekey.net". Did anyone else see this? Fortunately "edgagekey.net" is not a registered domain so these didn't go anywhere. These affected devices were Apple devices attempting to validate various hosts under "push.apple.com". Since Entrust is a certificate authority for Apple, and Apple doesn't appear to have a CAA record, could an attacker have noticed what I presume is a misconfiguration by Entrust or Akamai, registered the edgagekey.net domain, and with some DNS poisoning have delivered signed but fraudulent Apple content? In general, if a CA is delivering OCSP certificate status through a CDN, does that mean they are storing at least an intermediate private key on CDN servers? |
jauntysankey 7 Posts |
thread locked Quote Subscribe |
Jun 10th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!