We received a report of bugs in the construction of the emails we send out in order to confirm authorization by the domain name registrant prior to issuing a server certificate.
Colloquially these are known as Domain-Control Validation Emails. The security researcher, Matthew Bryant, followed a responsible disclosure process and we were afforded the opportunity to resolve this bug before he published his blog post at https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl- certificates-from-comodo-via-dangling-markup-injection/index.html We are pleased to report that no certificates were issued contrary to the terms of our CPS. We have informed our external WebTrust auditors of the report and of its resolution. We will be further engaging with external security consultants to ensure that our systems remain secure so that we may continue to meet our policy obligations. Regards Robin Alden Comodo This email has also been posted to [email protected] <mailto:[email protected]> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
