I'd like to call this presentation to everyone's attention: Title: Lost and Found Certificates: dealing with residual certificates for pre-owned domains
Slide deck: https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Foster-and-Ayrey-Lost-and-Found-Certs-residual-certs-for-pre-owned-domains.pdf (NOTE: this PDF loads in Firefox, but not in Safari and not, I'm told, in Chrome's native PDF viewer). Demo website: https://insecure.design/ The basic idea here is that domain names regularly change owners, creating "residual certificates" controlled by the previous owner that can be used for MITM. When a bunch of unrelated websites are thrown into the same certificate by a service provider (e.g. CDN), then this also creates the opportunity to DoS the sites by asking the CA to revoke the certificate. The deck includes some recommendations for CAs. What, if anything, should we do about this issue? - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
