2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy <dev-security-policy@lists.mozilla.org>: > It's troubling that even at this stage, Camerfirma still doesn't seem > to grasp the seriousness of their compliance problems. Today, > they are arguing that there was no security threat from a certificate > issued for a domain without authorization because the subdomain > in the certificate "does not exist": > https://bugzilla.mozilla.org/show_bug.cgi?id=1672409#c8
In my personal capacity, I want to stress how worrying this response by Camerafirma is. Arguing that a certificate doesn't present any risk if it's issued for a name that doesn't exist in DNS betrays a deep misunderstanding of the web platform, which the WebPKI serves. (For example, an attacker in a privileged network position can fake a DNS response for that domain, and use it to set Secure cookies on the whole site.) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
