On Sunday, January 21, 2018 at 8:13:30 AM UTC-8, David E. Ross wrote: > On 1/21/2018 7:47 AM, Paul Kehrer wrote: > > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > > On Friday (two days ago), I reported this to dns-ad...@google.com, the > only E-mail address in the WhoIs record for google.com. > > I received an automated reply indicating that security issues should > instead be reported to secur...@google.com. I immediately resent > (Thunderbird's Edit As New Message) to secur...@google.com. > > I then received an automated reply from secur...@google.com that listed > a variety of Web addresses for reporting various problems. I replied > via E-mail to secur...@google.com: > > Because of the OCSP failure, I am unable to reach any of the google.com > > Web site cited in your reply. > > Yes, I could disable OCSP checking. But I my need for Google is > insufficient for me to browse insecurely. > > By the way, in SeaMonkey 2.49.1 (the latest version) the Google Internet > Authority G2 certificate appears to be an intermediate, signed by the > GeoTrust Global CA root. > > There is a pending request (bug #1325532) from Google to add a Google > root certificate to NSS. Given the inadequacy of Google's current > information on reporting security problems, I have doubts whether this > request should be approved. > > See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>. > > -- > David E. Ross > <http://www.rossde.com/> > > President Trump: Please stop using Twitter. We need > to hear your voice and see you talking. We need to know > when your message is really your own and not your attorney's.
We are investigating the issue and will provide a update when that investigation is complete. Thank you for letting us know. Ryan Hurst Product Manager Google _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy