On 2018-03-02 15:24, Todd Johnson wrote: > Did *anyone* capture this information in a way that can be proven? > > While I personally would not trust any content from either hostname, the > Twitter post referenced earlier is not sufficient proof of key compromise.
Unfortunately, the server quickly went down after the vulnerability was publicly posted (as you might expect when throwing a root shell to Twitter), and now that it is back up the vulnerable endpoints return 404. I'm not sure if anyone managed to capture further proof of the extent of the breach. That Twitter thread is pretty damning, though, even if it may not qualify as proof of key compromise. I think the more interesting question here will be Trustico's response, if any. Will they report the potential key compromise to Comodo and request a revocation and reissuance? Or will they just pretend the Twitterverse didn't have root on the server almost certainly holding their private key for a while? Will they be transparent about their storage of customer private keys, and exactly how it was implemented and whether this compromise could've further compromised those keys? And what does Comodo think of all of this? -- Hector Martin "marcan" (mar...@marcan.st) Public Key: https://mrcn.st/pub _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy