Hi,
While I was connected to an IPv6-only network I noticed, that some CAs
(e.g. Amazon, DigiCert, GoDaddy, QuoVadis) do not provide IPv6 on their
CRL and OCSP endpoints. This means that certificate revocation does not
work if you have no IPv6 or, depending on your security policy (e.g.
require
Hi
Thanks for investigating.
First of all, my previously curl command is not suitable to verify a
OCSP status. It only works for OCSP stapling which is not supported by
Google servers.
You may use openssl ocsp instead:
openssl ocsp -issuer [GoogleInternetAuthorityG2.crt] -cert
[googlecom.crt]
Hi
Google delivers the certificate [1] to me, for *.google.com,
*.youtube.com and other major services.
However, the OCSP service [2] does not work for me. I verified this from
multiple locations, machines, OSes and versions of Firefox. Furthermore,
I used SSL Labs [3] and the status on crt.sh
Hi
Does this also affect the root CA of StartCom Class 4 (EV) and Class 3
(OV) certs?
Regards,
Jonas
Am 30.11.2016 um 21:32 schrieb
certificate-authority-prog...@group.apple.com:
> We are taking further actions to protect users in an upcoming security
> update. Apple products will block
The affected cert has been logged here: https://crt.sh/?id=34242572
Am 24.09.2016 um 02:33 schrieb Richard Wang:
> First, I must make declaration that I don't know "Showfom", and I don't know
> if he/she is a WoSign customer.
>
> As I said in my final statement that I wish all Mozilla trusted
I think that's the security.pki.sha1_enforcement_level pref [1][2].
Regards,
Jonas
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c35
[2]
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/
Am 16.09.2016 um 16:53 schrieb
Of course, adding the affected certs to OneCRL should be done immediately.
WoSign also has to be transparent about all (mis) issued certs in the
past and have to provide this info in the future.
If they can't, I think we may consider if the current certs that are
valid for 3 years should be
Hi
As far as I know we have the following status:
> Add a security warning to the Web Console to remind developers that
they should not be using a SHA-1 based certificates
Has already been fixed. But currently SHA-1 is only exposed in the
console, not on the lock icon so far.
> Show the
JFYI:
https://oalmanna.blogspot.com/2016/03/startssl-domain-validation.html
https://startssl.com/NewsDetails?date=20160322
https://startssl.com/NewsDetails?date=20160323
Regards,
Jonas
signature.asc
Description: OpenPGP digital signature
___
I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP.
The later one is not that far away [1].
Maybe it's the right time to consider them?
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105
Am 05.11.2015 um 19:46 schrieb Kathleen Wilson:
> The next two topics to discuss [1] have
Yes, some hosts are pinned:
https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json
MITM is *always* bad and breaks the web. Modern browsers, especially
Firefox, have great features to protect the users and this is something
good. I'm pretty sure your students
Thank you!
Please inform me if you were successful.
Regards,
Jonas
Am 06.02.2015 um 16:43 schrieb Medin, Steven:
I will contact the Swiss BIT and discuss.
Kind regards,
Steven Medin
Product Manager, Identity and Access Management
Verizon Enterprise Solutions
-Original
Hi all
A few weeks ago, I got some mails about a broken iframe. The secure
connection to the remote server failed (OCSP error). The site was signed
by Swiss Government SSL CA 01. I contacted the technical support and
they told me, that the Federal Office of Information Technology, Systems
and
Hi
I would support your idea, but it's quite hard to implement it. If a
server use TLS 1.2 and HSTS, you still don't know if the connection is
really secure.
But it would be easier if Firefox would show more details about
protocol, ciphers etc.
Am 17.09.2014 um 17:20 schrieb Richard Barnes:
14 matches
Mail list logo