Re: How to submit WebTrust audits in CCADB
I contacted CPA Canada in early 2017 about XSS and some other issues on cert.webtrust.org. They did not fix the issues but stated: > CPA Canada is currently working on upgrading the WebTrust site to > enhance the security. As of April 2018 the issues were still unfixed. I wonder if the limited access is part of those security "enhancements"? PS: This change also breaks "legitimate" WebTrust Seal links when either the website or the web browser is configured to not send the "Referer" header. jomo On 10.8.18 01:19, Kathleen Wilson via dev-security-policy wrote: > All, > > In their effort to better protect WebTrust seals, CPA Canada has made > it so we can no longer access WebTrust pdf files directly from the CCADB. > > I received the following response when inquiring about this. > “” > Thank you for contacting Chartered Professional Accountants of Canada. > You can no longer link directly to PDF documents. You will need to go > to the registered website where the seal is provided and click on the > seal to obtain the document (e.g. audit report). > Also, we are now enforcing the domain requirement when a seal is > opened. Domain enforcement is essential to the program to prevent > fraudulent use. It ensures that the WebTrust seals will only function > on the certificate authority’s websites. > If a seal is opened from a non-registered domain or other source (e.g. > email, internal lists, etc.) the seal will not load and will display a > notice indicating that the domain is not valid. > “” > > Therefore, for the foreseeable future, please do the following when > creating an Audit Case in the CCADB for WebTrust audits. > > 1) Make the PDFs of the audit statements available directly on your > CA's website. > OR > Upload your audit statement PDF files to Bugzilla, as described here: > https://ccadb.org/cas/fields#uploading-documents > > 2) For the audit statement link in your CCADB Audit Case either > provide the URL to the PDF on your CA's website, or use the link to > the document in Bugzilla. > > 3) Add a Audit Case Comment to indicate the URL where the WebTrust > seals may be found on your CA’s website. > > 4) When you run the Audit Letter Validation (ALV), you can ignore the > “Cleaned=Fail” ALV result. I will check the seal on your website > manually, and add a comment to the Audit Case. > > > Also, the cert.webtrust.org audit links that are currently in the root > cert records and the intermediate cert records in the CCADB no longer > work either. Fortunately we started archiving audit statements this > year. So you can scroll down to the “File Archive…” section of the > record, and you will be able to find the stored audit pdfs. > > Thanks, > Kathleen > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: How to submit WebTrust audits in CCADB
I don't think I'm giving away any big secret by revealing that the seal website is just doing an http_referer check. If you are blocked when trying to access an audit report on cert.webtrust.org, just set the referer to the CA's domain name and refresh. You can do this with any number of Firefox extensions, such as Referer Control ( https://addons.mozilla.org/en-US/firefox/addon/referercontrol/). Now if only it were that easy to access prior period reports... On Thu, Aug 9, 2018 at 4:47 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks for the update, Kathleen. > > This is truly unfortunate, and unquestionably does harm to the value and > brand of the WebTrust Seal, rather than provide value. > > On Thu, Aug 9, 2018 at 7:19 PM, Kathleen Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > All, > > > > In their effort to better protect WebTrust seals, CPA Canada has made it > > so we can no longer access WebTrust pdf files directly from the CCADB. > > > > I received the following response when inquiring about this. > > “” > > Thank you for contacting Chartered Professional Accountants of Canada. > > You can no longer link directly to PDF documents. You will need to go to > > the registered website where the seal is provided and click on the seal > to > > obtain the document (e.g. audit report). > > Also, we are now enforcing the domain requirement when a seal is opened. > > Domain enforcement is essential to the program to prevent fraudulent use. > > It ensures that the WebTrust seals will only function on the certificate > > authority’s websites. > > If a seal is opened from a non-registered domain or other source (e.g. > > email, internal lists, etc.) the seal will not load and will display a > > notice indicating that the domain is not valid. > > “” > > > > Therefore, for the foreseeable future, please do the following when > > creating an Audit Case in the CCADB for WebTrust audits. > > > > 1) Make the PDFs of the audit statements available directly on your CA's > > website. > > OR > > Upload your audit statement PDF files to Bugzilla, as described here: > > https://ccadb.org/cas/fields#uploading-documents > > > > 2) For the audit statement link in your CCADB Audit Case either provide > > the URL to the PDF on your CA's website, or use the link to the document > in > > Bugzilla. > > > > 3) Add a Audit Case Comment to indicate the URL where the WebTrust seals > > may be found on your CA’s website. > > > > 4) When you run the Audit Letter Validation (ALV), you can ignore the > > “Cleaned=Fail” ALV result. I will check the seal on your website > manually, > > and add a comment to the Audit Case. > > > > > > Also, the cert.webtrust.org audit links that are currently in the root > > cert records and the intermediate cert records in the CCADB no longer > work > > either. Fortunately we started archiving audit statements this year. So > you > > can scroll down to the “File Archive…” section of the record, and you > will > > be able to find the stored audit pdfs. > > > > Thanks, > > Kathleen > > > > > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: How to submit WebTrust audits in CCADB
Thanks for the update, Kathleen. This is truly unfortunate, and unquestionably does harm to the value and brand of the WebTrust Seal, rather than provide value. On Thu, Aug 9, 2018 at 7:19 PM, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All, > > In their effort to better protect WebTrust seals, CPA Canada has made it > so we can no longer access WebTrust pdf files directly from the CCADB. > > I received the following response when inquiring about this. > “” > Thank you for contacting Chartered Professional Accountants of Canada. > You can no longer link directly to PDF documents. You will need to go to > the registered website where the seal is provided and click on the seal to > obtain the document (e.g. audit report). > Also, we are now enforcing the domain requirement when a seal is opened. > Domain enforcement is essential to the program to prevent fraudulent use. > It ensures that the WebTrust seals will only function on the certificate > authority’s websites. > If a seal is opened from a non-registered domain or other source (e.g. > email, internal lists, etc.) the seal will not load and will display a > notice indicating that the domain is not valid. > “” > > Therefore, for the foreseeable future, please do the following when > creating an Audit Case in the CCADB for WebTrust audits. > > 1) Make the PDFs of the audit statements available directly on your CA's > website. > OR > Upload your audit statement PDF files to Bugzilla, as described here: > https://ccadb.org/cas/fields#uploading-documents > > 2) For the audit statement link in your CCADB Audit Case either provide > the URL to the PDF on your CA's website, or use the link to the document in > Bugzilla. > > 3) Add a Audit Case Comment to indicate the URL where the WebTrust seals > may be found on your CA’s website. > > 4) When you run the Audit Letter Validation (ALV), you can ignore the > “Cleaned=Fail” ALV result. I will check the seal on your website manually, > and add a comment to the Audit Case. > > > Also, the cert.webtrust.org audit links that are currently in the root > cert records and the intermediate cert records in the CCADB no longer work > either. Fortunately we started archiving audit statements this year. So you > can scroll down to the “File Archive…” section of the record, and you will > be able to find the stored audit pdfs. > > Thanks, > Kathleen > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
How to submit WebTrust audits in CCADB
All, In their effort to better protect WebTrust seals, CPA Canada has made it so we can no longer access WebTrust pdf files directly from the CCADB. I received the following response when inquiring about this. “” Thank you for contacting Chartered Professional Accountants of Canada. You can no longer link directly to PDF documents. You will need to go to the registered website where the seal is provided and click on the seal to obtain the document (e.g. audit report). Also, we are now enforcing the domain requirement when a seal is opened. Domain enforcement is essential to the program to prevent fraudulent use. It ensures that the WebTrust seals will only function on the certificate authority’s websites. If a seal is opened from a non-registered domain or other source (e.g. email, internal lists, etc.) the seal will not load and will display a notice indicating that the domain is not valid. “” Therefore, for the foreseeable future, please do the following when creating an Audit Case in the CCADB for WebTrust audits. 1) Make the PDFs of the audit statements available directly on your CA's website. OR Upload your audit statement PDF files to Bugzilla, as described here: https://ccadb.org/cas/fields#uploading-documents 2) For the audit statement link in your CCADB Audit Case either provide the URL to the PDF on your CA's website, or use the link to the document in Bugzilla. 3) Add a Audit Case Comment to indicate the URL where the WebTrust seals may be found on your CA’s website. 4) When you run the Audit Letter Validation (ALV), you can ignore the “Cleaned=Fail” ALV result. I will check the seal on your website manually, and add a comment to the Audit Case. Also, the cert.webtrust.org audit links that are currently in the root cert records and the intermediate cert records in the CCADB no longer work either. Fortunately we started archiving audit statements this year. So you can scroll down to the “File Archive…” section of the record, and you will be able to find the stored audit pdfs. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy