Security attacks on Firefox.

2016-07-01 Thread John T. McF. Mood AA4PC
A web site or two out there is spawning a false (probably malicious) patch to Firefox. I will give you what I can. https://eijugonsemi.net/495416513016/3538a5ce1e43f7196a2500a98cfe73ad.html -- This link starts a download to the "Patch". I of course refused to download or run the "Patch". The

Re: StartEncrypt considered harmful today

2016-07-01 Thread Nick Lamb
On Friday, 1 July 2016 20:44:00 UTC+1, Peter Kurrasch wrote: > Only reason I'm focusing on Let's Encrypt and ACME is because they are > currently under review for inclusion.‎ As far as I'm concerned all CA's with > similar interfaces warrant this extra scrutiny. > > I am somewhat curious if any

Re: ISRG Root Inclusion Request

2016-07-01 Thread Ryan Sleevi
On Fri, Jul 1, 2016 at 12:31 PM, Peter Kurrasch wrote: > I'm not sure I follow. Why should the inclusion process proceed before the > updates are complete? Because the concerns you have raised are not requirements of the Mozilla CA Inclusion Policy, nor do they appear to be part of the Baseline

Re: StartEncrypt considered harmful today

2016-07-01 Thread Peter Kurrasch
Only reason I'm focusing on Let's Encrypt and ACME is because they are currently under review for inclusion.‎ As far as I'm concerned all CA's with similar interfaces warrant this extra scrutiny. I am somewhat curious if any of this has come up before in other forums--that these interfaces can

Re: ISRG Root Inclusion Request

2016-07-01 Thread Peter Kurrasch
I'm not sure I follow. Why should the inclusion process proceed before the updates are complete?   Original Message   From: j...@letsencrypt.org Sent: Thursday, June 30, 2016 10:04 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: ISRG Root Inclusion Request On Wednesday, June 8

Re: StartEncrypt considered harmful today

2016-07-01 Thread Patrick Figel
On Friday, July 1, 2016 at 9:35:20 AM UTC+2, Eddy Nigg wrote: > So far less than three hundred certificates have been issued using > this method, none should have been effectively issue wrongfully due > to our backend checks. Can you comment on how your backend checks would have prevented any misi

Re: StartEncrypt considered harmful today

2016-07-01 Thread Christiaan Ottow
> On 30 Jun 2016, at 23:10, Andrew Ayer wrote: > > On Thu, 30 Jun 2016 22:36:19 +0200 > Christiaan Ottow wrote: > >> We acquired certificates for a private domain (and some subdomains) >> of the tester in question, and one for our domain pine.nl. Details of >> the latter are attached, with the

Re: StartEncrypt considered harmful today

2016-07-01 Thread Eddy Nigg
On 06/30/2016 06:30 PM, Rob Stradling wrote: https://www.computest.nl/blog/startencrypt-considered-harmful-today/ Eddy, is this report correct? Are you planning to post a public incident report? Hi Rob and all, There were indeed a couple of issues with the client software - known bugs have