Hi, Yesterday was the 10y anniversary of the Debian OpenSSL random number generator bug.
A few days ago I did a re-check of the CT logs for vulnerable keys. I found one unexpired, unrevoked certificate issued by a CA called "QuoVadis". I reported it and it's been revoked, they told me they'll check their systems why this certificate issuance wasn't blocked. https://crt.sh/?id=308235142 I also found an unrevoked Wosign cert that I had already reported last year. The abuse contact of wosign bounces mails. (My check was semi-thorough, I didn't have access to all the possible key combinations that could be generated with the Debian bug. There may be more certs in the logs.) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
