Before: Arbitrator EvaStöwe (A), Respondent: CAcert (R), Claimant: Stephen Z (C), Case: a20160616.1

History Log

Private Part

EOT Private Part

Original Dispute

Discovery

original situation

The dispute was a reply to a mail which the CAcert system sends to the primary email address of an account when a certificate for that account is created.

The claimant mentioned that

As this was as a reply to a certificate-creation mail, it seems that a certificate was created in the account of the claimant at a time where he did not expect this.

There were three aspects to cover

  1. If there was an attack to an account and if yes if this was only about this account or a general attack to CAcert
  2. Clarify if the certificate-creation mail is genuine
  3. Identify the account and the owner of the acount
  4. Decide about access to account (after clarification of ownership)
  5. Decide about revocation of certificate
  6. Decide about closure of account

results of research

With the help of support the following was established:

  1. The claimant was sending from the primary email address of the account
  2. The domain for the certificate is a sub-domain from that account
  3. The certificate number presented in the certificate-creation mail links to the account of the user
  4. The certificate from the certificate-creation mail seems to be listed in the account
  5. No recent changes or other activity visible in the account, this includes pw-resets and certificate creation

Additionally the claimant had managed to gain access to the account via the 5 questions for password/account recovery and that the password was changed, afterwards.

The claimant also expressed to be happy to have the access to the account restored. The claimant does not seem to want to close the account, any more. (Not verified.)

With the help of criticl team the following was established:

  1. certificate seems to be genuine and is one of those listed in the account
  2. at some time after creation, the account was accessed via correct password and
    1. account entries were added or changed including the password
    2. a certificate was issued
  3. after the certificate had expired the account was accessed again with correct password and the certificate was renewed

The claimant contacted support because of the automated mail send by this renewal of the certificate, because he was not able to access the account because of the changed password.

Further was established: After the claimant re-gaind access, he was able to clean up the account.

The claimant also revoked the certificate in question.

answers to original questions

  1. If there was an attack to an account and if yes if this was only about this account or a general attack to CAcert
    • It seems that someone who is not the claimant gained access to the account via correct password.
    • There was no indication for a general attack on CAcert.
  2. Clarify if the certificate-creation mail is genuine
    • It was genuine.
  3. Identify the account and the owner of the acount
    • The claimant seems to be the owner of the account, as he was sending from the primary email address of that account and also stated to have gained access to the account via the secret questions. (Not further verified)
  4. Decide about access to account (after clarification of ownership)
    • Obsolete as claimant (owner) managed to recover the access to the account and also had changed the password, to prevent that the attacker can access the account.
  5. Decide about revocation of certificate
    • Obsolte as done by claimant.
  6. Decide about closure of account
    • Obsolete as claimant now seems to want to keep the account.

Ruling

I hereby come to the following ruling:
Someone was able to access the account of the claimant via a correct password and afterwards changed the password and issued the certificate in question.

There was no indication for a general attack on CAcert.

The claimant was able to regain access to the account by identifyinghimself as owner of the account via the 5 questions. Afterwards hecorrected incorrect entries, changed the password and revoked the certificate.

By this no further activities regarding the account is necessary.

As the  last mail from the claimant indicated that he wants to keep the account no steps for closing the account will be done, as this does not seem to be necessary.

If the claimant wants to have the account closed, he should address CAcert support with an according request, again. Nothing in this case would block a closure, so that support could close the account with normal processes, if this is the wish of the claimant.

Execution

Similiar Cases

a20120324.1

Valid certificate revoked?


Arbitrations/a20160616.1 (last edited 2016-06-18 20:00:18 by PietStarreveld)