Hi Wayne, Thanks for these prompt and detailed responses.
On 12/01/17 00:27, Wayne Thayer wrote: > Our initial response as reported yesterday was to fix the bug > introduced in July. Based on internal discussions and comments here, > as of 12 midnight PST last night (1/11) we stopped using this method > of file based domain control validation. That seems like an excellent idea, at least until you can alter the system to make it so that the random value is not part of the URL requested. > As soon as we learned of this issue, we went through every > certificate that was validated with the HTML method utilized during > this period and attempted to verify. If it could not be immediately > verified, we revoked the certificate. That seems like an excellent process. > When we learned of this issue, we re-validated every affected > certificate. If we were unable to properly validate, we revoked the > certificate. That is how we got the total of 8,951 revoked > certificates. Are you able to say how many certificates were successfully revalidated? > As soon as we discovered the bug, we ran a report to identify every > certificate that didn’t fail the domain validation check during the > period the bug was active. We then started scanning websites to see > which ones were able to re-pass the proper validation check. If they > passed, we removed the certificate from the list. If we were unable > to revalidate the certificate, we revoked it. If there was any > question if the certificate was properly verified, we revoked it. So you re-validated pretty much everything? Wow. That must be a lot of sites. Not a requirement or a command, but it may be wise to improve your logging, because if you had stored the website's response and status code verbatim, you would not have needed to revalidate as many certificates (because you could have skipped those that responded "200" first time), and may have been able to revoke far fewer. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy