The article also claims that bad actors are selling EV SSL certificates that they obtain for real companies without their knowledge:
"to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities. It is important to note that all certificates are created for each buyer individually with the average delivery time of two to four days." Wayne On Mon, Feb 26, 2018 at 2:27 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I just came across this: > > https://www.recordedfuture.com/code-signing-certificates/ > > I think the most important part of it is: "we confirmed with a high degree > of certainty that the certificates are created for a specific buyer per > request only and are registered using stolen corporate identities" > > > Kurt > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
