If Apple is using wildcards that permit an otherwise-banned certificate, it
seems like not only a regex problem--and who hasnĀ¹t had those before?-- but
also a rather disturbing workaround for certs that otherwise should not be
respected. I just hit this site in Safari on a Mac and got no popup or
interstitial but also saw about 20 insecure content errors (not that everyone
has Error Console running all the time). I also just hit a site I knew had an
invalid certificate, and got a popup. Both sites show https inURL.
Respectfully,
Tarah Wheeler
Principal Security Advocate
Senior Director of Engineering, Website Security
Symantec
ta...@symantec.com
> On Nov 13, 2016, at 1:01 PM, "dev-security-policy-requ...@lists.mozilla.org"
> <dev-security-policy-requ...@lists.mozilla.org> wrote:
>
> Send dev-security-policy mailing list submissions to
> dev-security-policy@lists.mozilla.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.mozilla.org/listinfo/dev-security-policy
> or, via email, send a message with subject or body 'help' to
> dev-security-policy-requ...@lists.mozilla.org
>
> You can reach the person managing the list at
> dev-security-policy-ow...@lists.mozilla.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev-security-policy digest..."
>
>
> Today's Topics:
>
> 1. Re: Action on undisclosed intermediates (Peter Bowen)
> 2. Re: Action on undisclosed intermediates (Rob Stradling)
> 3. Re: Comodo issued a certificate for an extension (Eric Mill)
> 4. Re: Apple's response to the WoSign incidents (Percy)
>
>
> --
>
> Message: 1
> Date: Sat, 12 Nov 2016 09:43:36 -0800
> From: Peter Bowen <pzbo...@gmail.com>
> To: Gervase Markham <g...@mozilla.org>
> Cc: "mozilla-dev-security-pol...@lists.mozilla.org"
> <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Action on undisclosed intermediates
> Message-ID:
> <cak6vnd_0odjsgoa5zxhxryeghtskaeccij76mco3q_vkrtj...@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
>> On Tue, Nov 8, 2016 at 8:18 AM, Gervase Markham <g...@mozilla.org> wrote:
>> I'd like to take some action about persistent failures to properly
>> disclose intermediates. The deadline for this was June, and CAs have had
>> a number of reminders, so there's no excuse.
>>
>> Of course, if intermediates aren't disclosed, we can't be certain what
>> they are, but crt.sh has a good idea of many of them:
>> https://crt.sh/mozilla-disclosures#undisclosed
>>
>> There is also a list on that page of certs which CAs have disclosed but
>> not provided audit info, but given that you can get off that list by
>> putting _anything_ in the relevant box in Salesforce, I'm worried about
>> perverse incentives if we go after people on that list at the moment:
>> https://crt.sh/mozilla-disclosures#disclosureincomplete
>
> Based on data this morning, it looks like there are only two left on
> that undisclosed list. One of them is RSA, who is already scheduled
> for removal. The other is TurkTrust, which announced they are leaving
> the server auth cert business:
> https://cabforum.org/pipermail/public/2016-September/008475.html
>
> So it seems this problem has resolved itself. No need to invent
> random selection schemes.
>
> Now, the real fun is going to be seeing if the supplied audit report
> URLs actually point to reports and if all the CAs claimed to be
> covered are actually covered ;)
>
> Thanks,
> Peter
>
>
> --
>
> Message: 2
> Date: Sat, 12 Nov 2016 20:11:50 +
> From: Rob Stradling <rob.stradl...@comodo.com>
> To: Peter Bowen <pzbo...@gmail.com>, Gervase Markham
> <g...@mozilla.org>
> Cc: "mozilla-dev-security-pol...@lists.mozilla.org"
> <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Action on undisclosed intermediates
> Message-ID: <734f7b4e-9911-d28e-acdc-a95afa440...@comodo.com>
> Content-Type: text/plain; charset=windows-1252
>
>> On 12/11/16 17:43, Peter Bowen wrote:
>>
>> So it seems this problem has resolved itself. No need to invent
>> random selection schemes.
>
> ISTM that the threat of random selection schemes may have been what
> resolved the problem. ;-)
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
>
> --
>
> Message: 3
> Date: Sat, 12 Nov 2016 23:12:48 -0500
> From: Eric Mill <e...@konklo