On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley <[email protected]> wrote: > However, the fact a researcher was able to obtain a cert without proper domain > validation is pretty serious. I'd like to hear more details about how this was > accomplished. Ports 8080 and 8443 aren't that uncommon so penalizing someone > merely for port use seems harsh when there wasn't a policy against it.
There was no restriction on ports at all. Any client-specified port was accepted, and any HTTP-like response it gave back was accepted. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
