Based on reported issues with TLS-SNI-01, we started investigation of our systems late yesterday regarding the use of "Test Certificate" validation, BR section 3.2.2.4.9.
We found that this method may be vulnerable to the some of the same underlying issue as the ACME TLS-SNI-01 so we disabled it at 10:51 AM today EST, January 11th. While TLS-SNI-01 uses a host name like 773c7d.13445a.acme.invalid, GlobalSign uses the actual host name, www.example.com<http://www.example.com> which limits abuse, but we believe that the process might be vulnerable in some cases. We're continuing to research this and will let you know what we find. Doug Doug Beattie Vice President of Product Management GlobalSign Two International Drive | Suite 150 | Portsmouth, NH 03801 Email: doug.beat...@globalsign.com<mailto:doug.beat...@globalsign.com> www.globalsign.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globalsign.com_&d=AwMFAg&c=qRq7a-87GiVVW7v8KD1gdQ&r=yL2kJgSsccUq5VcaUHiaiErHSMoqqBV4kmZtle8pI0U&m=7LSnl4Q_Qu_BEe5I_P8WSvWs0evmNYHNhThvhJlrvzE&s=8HjQZHbWrcD_ik5cm6C2gK7iPzU_KT9tF7RSZfrF1c0&e=> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy