Hello, On Wed, Jan 10, 2018 at 4:15 PM, Kurt Roeckx via dev-security-policy < [email protected]> wrote:
> On Wed, Jan 10, 2018 at 01:33:20AM -0800, josh--- via dev-security-policy > wrote: > > * Users have the ability to upload certificates for arbitrary names > without proving domain control. > > So a user can always take over the domain of an other user on > those providers just by installing a (self-signed) certificate? > I guess it works easiest if the other just doesn't have SSL. > If SSL is off, hosting may not include SSL-related directives in the config of webserver at the machine at all. -- SY, Dmitry Belyavsky _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
