Hi, In April and May of this year, I attempted to change the address listed in Dun & Bradstreet of my (Kentucky-incorporated) company "Stripe, Inc" to an address in Toledo, Ohio that did not exist (185 Berry Street Toledo Ohio). I was wondering the extent of validation Dun & Bradstreet would do on the data.
To my surprise, they accepted my change request a couple days later. This is concerning, of course, because D&B is a QIIS backing most EV certificate requests in the United States. After this worked, I realized this was probably worth exploring more, so I took my "Cloudflare, Inc" company (also incorporated in Kentucky) and requested that Dun & Bradstreet change its address to "102 Townsend St San Francisco CA". You might notice that this is the same address as the real Cloudflare, but with the street number incremented by one. D&B accepted that change request as well. This meant I controlled a DUNS number that would resolve to a very similar address to CF, with my phone number on it. I ordered two EV certificates from Comodo (order #s 136665865 and 141269115) with these fake DUNS numbers. I successfully completed the validation and callback process for the Cloudflare order, and Comodo was about to issue the certificate, but both of my orders were silently deleted before they were about to be issued. Comodo would not give me any information about why they (silently) rejected my orders, but Dun & Bradstreet banned my account shortly after, so it is safe to say they reported me after they realized something went wrong. I think this is a strong indictment of D&B as a QIIS. The definition of a QIIS, in my opinion, is incredibly lax, but "which is generally recognized as a dependable source of such information" is hard to meet here. I am also, frankly, annoyed that Comodo seems to have silently discovered that D&B was unreliable and then ignored it without reporting it further. I myself have been meaning to send this for a while, given I did this in May, but various things have made it difficult for me to find the time. Let me know if I can provide any further information. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
