Re: GoDaddy verification issue history appears incomplete: possible regression of bug in 2010

Tue, 17 Jan 2017 08:26:02 -0800 

Really?  You were doing manual testing that quickly?  Using the kind of
randomized challenging normal associated with automated testing?

On 17/01/2017 04:48, Wayne Thayer wrote:

Back in 2010 all of our testing was manual. We've been investing in automated 
testing over the last three years. Now we are focusing that effort on the new 
Ballot 169 methods with a heightened awareness of false positives like this 
one, and detection of potential vulnerabilities.


-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-
bounces+wthayer=godaddy....@lists.mozilla.org] On Behalf Of Gervase
Markham
Sent: Monday, January 16, 2017 3:49 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: GoDaddy verification issue history appears incomplete: possible
regression of bug in 2010

On 13/01/17 17:10, Fred Emmott wrote:

In January 2010, I reported two issues to GoDaddy, with an example
certificate that should have been rejected: - their website-based
authentication required a request to an URL including a random string
to include the same random string.


Reading through your bug report, it does seem like the problem you
encountered was very similar to that recently reported. Perhaps Wayne
would care to comment?

While there are no audits for the QA process of a CA, domain validation is the
/sine qua non/ of certificate issuance and I would hope and expect all CAs to
have robust testing processes surrounding any changes to this part of their
issuance infrastructure, both testing that certificates are issued for domains
they should be, and that they are not issued for domains that they should
not be, under an adversarial threat model.




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to