I found another certificate for www.test.com that I believe was
mis-issued by GlobalSign:
https://crt.sh/?sha256=9d503e7c6c4fb6e6d7436c07ff445b95214871ea13ac1cb3b0d7abbce9be6cfb
This certificate was issued on 2015-09-11 and is not yet expired. I
was not paying close attention to mozilla.dev.security.policy back
then, but I can't find any mention of this certificate in the archives.
The certificate was revoked on 2015-09-11. It is also present in
Chrome's CRLSets, although it might have been added automatically
since it's an EV cert.
Reasons I think this certificate is mis-issued:
1. The subject organization is "GMO GlobalSign Ltd" and there are
DNS SANs for globalsign-support.com and www.globalsign-support.com.
However, test.com does not appear affiliated with GlobalSign in any way.
2. The certificate has not been detected in the wild by Censys. The
live certificate for www.test.com was issued by Network Solutions and
judging from CT, they have been using Network Solutions since at least
July 2015.
3. The same public key can also be found in the following certificate,
which has DNS SANs for globalsign-support.com and
www.globalsign-support.com but NOT www.test.com:
https://crt.sh/?sha256=7f2c6c5d4b0f0e4f1f3b41e5c3354968b1f38350fa3c24820389b566db619b01
Regards,
Andrew
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
