Back in 2010 all of our testing was manual. We've been investing in automated testing over the last three years. Now we are focusing that effort on the new Ballot 169 methods with a heightened awareness of false positives like this one, and detection of potential vulnerabilities.
> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Gervase > Markham > Sent: Monday, January 16, 2017 3:49 AM > To: [email protected] > Subject: Re: GoDaddy verification issue history appears incomplete: possible > regression of bug in 2010 > > On 13/01/17 17:10, Fred Emmott wrote: > > In January 2010, I reported two issues to GoDaddy, with an example > > certificate that should have been rejected: - their website-based > > authentication required a request to an URL including a random string > > to include the same random string. > > Reading through your bug report, it does seem like the problem you > encountered was very similar to that recently reported. Perhaps Wayne > would care to comment? > > While there are no audits for the QA process of a CA, domain validation is the > /sine qua non/ of certificate issuance and I would hope and expect all CAs to > have robust testing processes surrounding any changes to this part of their > issuance infrastructure, both testing that certificates are issued for domains > they should be, and that they are not issued for domains that they should > not be, under an adversarial threat model. > > Gerv > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
