On 1/21/2018 7:47 AM, Paul Kehrer wrote: > Is there a known contact to report it (or is someone with a Google hat > reading this anyway)?
On Friday (two days ago), I reported this to dns-ad...@google.com, the only E-mail address in the WhoIs record for google.com. I received an automated reply indicating that security issues should instead be reported to secur...@google.com. I immediately resent (Thunderbird's Edit As New Message) to secur...@google.com. I then received an automated reply from secur...@google.com that listed a variety of Web addresses for reporting various problems. I replied via E-mail to secur...@google.com: > Because of the OCSP failure, I am unable to reach any of the google.com > Web site cited in your reply. Yes, I could disable OCSP checking. But I my need for Google is insufficient for me to browse insecurely. By the way, in SeaMonkey 2.49.1 (the latest version) the Google Internet Authority G2 certificate appears to be an intermediate, signed by the GeoTrust Global CA root. There is a pending request (bug #1325532) from Google to add a Google root certificate to NSS. Given the inadequacy of Google's current information on reporting security problems, I have doubts whether this request should be approved. See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>. -- David E. Ross <http://www.rossde.com/> President Trump: Please stop using Twitter. We need to hear your voice and see you talking. We need to know when your message is really your own and not your attorney's. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
