On 24/03/15 03:58 PM, Florian Weimer wrote: > * Daniel Micay: > >> These rules would be a lot more meaningful if any new additions to the >> trust store were required to have Certificate Transparency implemented >> for the sake of auditing, along with a deadline for other CAs to put it >> in place. CT would have meant this was trivially caught *much* earlier >> by security researchers. > > That depends on how many legitimate gmail.com certificates are out > there. Organizations struggle to keep track of their own > certificates. It's difficult to see how relative outsiders (and most > “security researchers” are) can cope with that, except by raising an > alarm about everything they see (which is not generally helpful). > > There's also an ongoing effort to defang CT and make the data much > less useful, so CT could turn meaningless fairly soon.
In the case of gmail.com, any certificate not valid with the pinning in Chromium is highly suspicious. There may be some false positives, but running it by the organization behind the domain can confirm it. You may even get a bounty for finding something like this... If they're not able to confirm or deny the validity of the certificate, that's a separate juicy scandal.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
