Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

Looking into this, we revoked the cert on our end at 2:20 MST (within 24 hours after the certificate problem report was processed), but we distribute all of our OCSP responses through CDNs. Distribution through the CDN took approximately an hour plus. I couldn't find a definition of revoked in

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Tue, 20 Jun 2017 21:23:51 +0100 Rob Stradling via dev-security-policy wrote: > [CC'ing rev...@digicert.com, as per > https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o03WrzBC=Q00028] > >

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wednesday, June 21, 2017 at 1:35:13 PM UTC-5, Matthew Hardeman wrote: > Regarding localhost access, you are presently incorrect. The browsers do not > allow access to localhost via insecure websocket if the page loads from a > secure context. (Chrome and Firefox at least, I believe do not

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

And a common practice. Old Microsoft documentation used to recommend it. > On Jun 21, 2017, at 12:22 PM, Santhan Raj via dev-security-policy > wrote: > > On Wednesday, June 21, 2017 at 12:02:51 PM UTC-7, Jonathan Rudenberg wrote: >>> On Jun 21, 2017, at

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wednesday, June 21, 2017 at 12:02:51 PM UTC-7, Jonathan Rudenberg wrote: > > On Jun 21, 2017, at 14:41, urijah--- via dev-security-policy > > wrote: > > > > Apparently, in at least one case, the certificate was issued directly(!) to > > localhost by

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

> On Jun 21, 2017, at 14:41, urijah--- via dev-security-policy > wrote: > > Apparently, in at least one case, the certificate was issued directly(!) to > localhost by Symantec. > > https://news.ycombinator.com/item?id=14598262 > >

Re: On GitHub, Leaked Keys, and getting practical about revocation

On Wed, 21 Jun 2017 10:40:01 -0700 (PDT) Matthew Hardeman via dev-security-policy wrote: > Through a little Google digging, I find numerous comments and > references from well informed parties going back quite several years > lamenting the poor state of

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wednesday, June 21, 2017 at 12:41:53 PM UTC-5, andre...@gmail.com wrote: > I feel like this is getting sort of off-topic. Web pages can communicate > directly with applications on the local machine regardless of whether they > abuse certificates in this way or not. (Such as, for example, by

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wednesday, June 21, 2017 at 11:51:27 AM UTC-5, Matthew Hardeman wrote: > On Wednesday, June 21, 2017 at 4:59:01 AM UTC-5, Ryan Sleevi wrote: > > > > > There are several distinct issues: > > 127.0.0.0/8 (and the associated IPv6 reservations ::1/128) > > "localhost" (as a single host) > >

On GitHub, Leaked Keys, and getting practical about revocation

Hi all, I'm sure questions of certificates leaked to the public via GitHub and other file sharing / code sharing / deployment repository hosting and sharing sites have come up before, but last night I spent a couple of hours constructing various search criteria which I don't think were even

Re: Unknown Intermediates

FYI, I'm submitting these right now, it seems to be working, here's an example https://crt.sh/?q=1eb6ec6e6c45663f3bb1b2f140961bbf3352fc8741ef835146d3a8a2616ee28f Tavis. On Mon, Jun 19, 2017 at 12:56 PM, Tavis Ormandy wrote: > I noticed there's an apparently valid

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wednesday, June 21, 2017 at 4:59:01 AM UTC-5, Ryan Sleevi wrote: > > There are several distinct issues: > 127.0.0.0/8 (and the associated IPv6 reservations ::1/128) > "localhost" (as a single host) > "localhost" (as a TLD) > > The issues with localhost are (briefly) caught in >

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

Does anyone have an idea of how good browser support is for the W3C Secure Contexts standard? Could it be that vendors are abusing certificates in this way in order to get around communications with loopback addresses being blocked as insecure mixed content by non-conforming browsers? On Wed, Jun

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

On Wed, Jun 21, 2017 at 7:15 AM, Gervase Markham via dev-security-policy wrote: > On 21/06/17 13:13, Doug Beattie wrote: >>> Do they have audits of any sort? >> >> There had not been any audit requirements for EKU technically >> constrained CAs, so no, there

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Wednesday, June 21, 2017 4:16 PM > To: mozilla-dev-security-pol...@lists.mozilla.org >

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

On 21/06/17 13:13, Doug Beattie wrote: >> Do they have audits of any sort? > > There had not been any audit requirements for EKU technically > constrained CAs, so no, there are no audits. In your view, having an EKU limiting the intermediate to just SSL or to just email makes it a technically

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, June 20, 2017 9:12 PM > To: Doug Beattie ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > >

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wed, Jun 21, 2017 at 5:32 AM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I believe the underlying issue for many of these cases pertains to > initiating a connection to a WebSocket running on some port on 127.0.0.1 as > a sub-resource of an

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

On Wednesday, June 21, 2017 at 1:43:18 AM UTC-5, jacob.hoff...@gmail.com wrote: > > It's been an on-going question for me, since the use case (as a software > > developer) is quite real: if you serve a site over HTTPS and it needs to > > communicate with a local client application then you need

Re: When are public applications embedding certificates pointing to 127.0.0.1 OK?

> It's been an on-going question for me, since the use case (as a software > developer) is quite real: if you serve a site over HTTPS and it needs to > communicate with a local client application then you need this (or, you > need to manage your own CA, and ask every person to install a >