On 1/21/2018 7:47 AM, Paul Kehrer wrote:
> Is there a known contact to report it (or is someone with a Google hat
> reading this anyway)?

On Friday (two days ago), I reported this to dns-ad...@google.com, the
only E-mail address in the WhoIs record for google.com.

I received an automated reply indicating that security issues should
instead be reported to secur...@google.com. I immediately resent
(Thunderbird's Edit As New Message) to secur...@google.com.

I then received an automated reply from secur...@google.com that listed
a variety of Web addresses for reporting various problems.  I replied
via E-mail to secur...@google.com:
> Because of the OCSP failure, I am unable to reach any of the google.com
> Web site cited in your reply.

Yes, I could disable OCSP checking.  But I my need for Google is
insufficient for me to browse insecurely.

By the way, in SeaMonkey 2.49.1 (the latest version) the Google Internet
Authority G2 certificate appears to be an intermediate, signed by the
GeoTrust Global CA root.

There is a pending request (bug #1325532) from Google to add a Google
root certificate to NSS.  Given the inadequacy of Google's current
information on reporting security problems, I have doubts whether this
request should be approved.

See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>.

-- 
David E. Ross
<http://www.rossde.com/>

President Trump:  Please stop using Twitter.  We need
to hear your voice and see you talking.  We need to know
when your message is really your own and not your attorney's.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to