Hi Wayne, As others have said, thanks for bringing this to our attention.
On 11/01/17 03:02, Wayne Thayer wrote: > results even when the HTTP status code was not 200. Since many web > servers are configured to include the URL of the request in the body > of a 404 (not found) response, and the URL also contained the random > code, As you will know, the method being used by GoDaddy here corresponds broadly to method 3.2.2.4.6 from ballot 169 - "Agreed-Upon Change to Website". (Although this method is not currently in the Baseline Requirements due to it being part of ballot 182 and having a related IPR disclosure, at least one root store operator has suggested they are going to require strict adherence to the methods listed in that ballot by 1st March.) https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/ One of the sentences in 3.2.2.4.6 is the following: "The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page" This sentence is there precisely because the problem which hit GoDaddy was anticipated when the Validation WG was discussing the possible problems with this validation method. Has GoDaddy already, or is GoDaddy planning to, update its implementation to conform to that requirement? > We are currently unaware of > any malicious exploitation of this bug to procure a certificate for a > domain that was not authorized. Does that mean "we have revalidated all the domains", or does it mean "no-one has actively reported to us that someone else is using a certificate for a domain name the reporter owns"? > The customer who discovered the bug > revoked the certificate they obtained, and subsequent certificates > issued as the result of requests used for testing by Microsoft and > GoDaddy have been revoked. I would hope and assume that such testing was done using domains owned by Microsoft and/or GoDaddy, or someone else whose permission you had gained? > authorization). We have re-verified domain control on every > certificate issued using this method of validation in the period from > when the bug was introduced until it was fixed. How was that possible for all domains, as surely some domain owners will have taken the necessary file down? > A list of 8850 > potentially unverified certificates (representing less than 2% of the > total issued during the period) was compiled at 10 PM PST on Monday > Jan 9th. How were you able to create that list? Do you store the HTTP status code and content returned from the website, and just searched for non-200 codes? Or some other way? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy