On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > However, the fact a researcher was able to obtain a cert without proper domain > validation is pretty serious. I'd like to hear more details about how this was > accomplished. Ports 8080 and 8443 aren't that uncommon so penalizing someone > merely for port use seems harsh when there wasn't a policy against it.
There was no restriction on ports at all. Any client-specified port was accepted, and any HTTP-like response it gave back was accepted. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy