> On Jun 20, 2017, at 10:36, mfisch--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via >> dev-security-policy wrote: >>> If you should find such an issue again in a Cisco owned domain, please >>> report it to ps...@cisco.com and we will ensure that prompt and proper >>> actions are taken. >> >> I don't know, this way seems to have worked Just Fine. >> >> - Matt > > Does no-one else see the lack of responsible disclosure in this thread > distressing? > > Yes, the cert was revoked, and for all you know during the race that was this > public disclosure there could have been compromise. There are APT actors > watching this thread right now looking for opportunities.
The disclosure looks responsible to me. The domain resolves to 127.0.0.1, which means that the private key can only be effectively leveraged by a privileged attacker that can forge DNS responses. An attacker that can do this can almost certainly also block online OCSP/CRL checks, preventing the revocation from being seen by clients. In general, revocation will not have any meaningful impact against misuse unless the certificate is included in OneCRL/CRLSets (for Firefox/Chrome). Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
