Looking into this, we revoked the cert on our end at 2:20 MST (within 24 hours
after the certificate problem report was processed), but we distribute all of
our OCSP responses through CDNs. Distribution through the CDN took
approximately an hour plus. I couldn't find a definition of revoked in
On Tue, 20 Jun 2017 21:23:51 +0100
Rob Stradling via dev-security-policy
wrote:
> [CC'ing rev...@digicert.com, as per
> https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o03WrzBC=Q00028]
>
>
On Wednesday, June 21, 2017 at 1:35:13 PM UTC-5, Matthew Hardeman wrote:
> Regarding localhost access, you are presently incorrect. The browsers do not
> allow access to localhost via insecure websocket if the page loads from a
> secure context. (Chrome and Firefox at least, I believe do not
And a common practice. Old Microsoft documentation used to recommend it.
> On Jun 21, 2017, at 12:22 PM, Santhan Raj via dev-security-policy
> wrote:
>
> On Wednesday, June 21, 2017 at 12:02:51 PM UTC-7, Jonathan Rudenberg wrote:
>>> On Jun 21, 2017, at
On Wednesday, June 21, 2017 at 12:02:51 PM UTC-7, Jonathan Rudenberg wrote:
> > On Jun 21, 2017, at 14:41, urijah--- via dev-security-policy
> > wrote:
> >
> > Apparently, in at least one case, the certificate was issued directly(!) to
> > localhost by
> On Jun 21, 2017, at 14:41, urijah--- via dev-security-policy
> wrote:
>
> Apparently, in at least one case, the certificate was issued directly(!) to
> localhost by Symantec.
>
> https://news.ycombinator.com/item?id=14598262
>
>
On Wed, 21 Jun 2017 10:40:01 -0700 (PDT)
Matthew Hardeman via dev-security-policy
wrote:
> Through a little Google digging, I find numerous comments and
> references from well informed parties going back quite several years
> lamenting the poor state of
On Wednesday, June 21, 2017 at 12:41:53 PM UTC-5, andre...@gmail.com wrote:
> I feel like this is getting sort of off-topic. Web pages can communicate
> directly with applications on the local machine regardless of whether they
> abuse certificates in this way or not. (Such as, for example, by
On Wednesday, June 21, 2017 at 11:51:27 AM UTC-5, Matthew Hardeman wrote:
> On Wednesday, June 21, 2017 at 4:59:01 AM UTC-5, Ryan Sleevi wrote:
>
> >
> > There are several distinct issues:
> > 127.0.0.0/8 (and the associated IPv6 reservations ::1/128)
> > "localhost" (as a single host)
> >
Hi all,
I'm sure questions of certificates leaked to the public via GitHub and other
file sharing / code sharing / deployment repository hosting and sharing sites
have come up before, but last night I spent a couple of hours constructing
various search criteria which I don't think were even
FYI, I'm submitting these right now, it seems to be working, here's an
example
https://crt.sh/?q=1eb6ec6e6c45663f3bb1b2f140961bbf3352fc8741ef835146d3a8a2616ee28f
Tavis.
On Mon, Jun 19, 2017 at 12:56 PM, Tavis Ormandy wrote:
> I noticed there's an apparently valid
On Wednesday, June 21, 2017 at 4:59:01 AM UTC-5, Ryan Sleevi wrote:
>
> There are several distinct issues:
> 127.0.0.0/8 (and the associated IPv6 reservations ::1/128)
> "localhost" (as a single host)
> "localhost" (as a TLD)
>
> The issues with localhost are (briefly) caught in
>
Does anyone have an idea of how good browser support is for the W3C Secure
Contexts standard? Could it be that vendors are abusing certificates in
this way in order to get around communications with loopback addresses
being blocked as insecure mixed content by non-conforming browsers?
On Wed, Jun
On Wed, Jun 21, 2017 at 7:15 AM, Gervase Markham via
dev-security-policy wrote:
> On 21/06/17 13:13, Doug Beattie wrote:
>>> Do they have audits of any sort?
>>
>> There had not been any audit requirements for EKU technically
>> constrained CAs, so no, there
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Wednesday, June 21, 2017 4:16 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
>
On 21/06/17 13:13, Doug Beattie wrote:
>> Do they have audits of any sort?
>
> There had not been any audit requirements for EKU technically
> constrained CAs, so no, there are no audits.
In your view, having an EKU limiting the intermediate to just SSL or to
just email makes it a technically
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Tuesday, June 20, 2017 9:12 PM
> To: Doug Beattie ; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods
> >
On Wed, Jun 21, 2017 at 5:32 AM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I believe the underlying issue for many of these cases pertains to
> initiating a connection to a WebSocket running on some port on 127.0.0.1 as
> a sub-resource of an
On Wednesday, June 21, 2017 at 1:43:18 AM UTC-5, jacob.hoff...@gmail.com wrote:
> > It's been an on-going question for me, since the use case (as a software
> > developer) is quite real: if you serve a site over HTTPS and it needs to
> > communicate with a local client application then you need
> It's been an on-going question for me, since the use case (as a software
> developer) is quite real: if you serve a site over HTTPS and it needs to
> communicate with a local client application then you need this (or, you
> need to manage your own CA, and ask every person to install a
>
20 matches
Mail list logo