On Sunday, January 21, 2018 at 8:13:30 AM UTC-8, David E. Ross wrote:
> On 1/21/2018 7:47 AM, Paul Kehrer wrote:
> > Is there a known contact to report it (or is someone with a Google hat
> > reading this anyway)?
> On Friday (two days ago), I reported this to dns-ad...@google.com, the
> only E-mail address in the WhoIs record for google.com.
> I received an automated reply indicating that security issues should
> instead be reported to secur...@google.com. I immediately resent
> (Thunderbird's Edit As New Message) to secur...@google.com.
> I then received an automated reply from secur...@google.com that listed
> a variety of Web addresses for reporting various problems. I replied
> via E-mail to secur...@google.com:
> > Because of the OCSP failure, I am unable to reach any of the google.com
> > Web site cited in your reply.
> Yes, I could disable OCSP checking. But I my need for Google is
> insufficient for me to browse insecurely.
> By the way, in SeaMonkey 2.49.1 (the latest version) the Google Internet
> Authority G2 certificate appears to be an intermediate, signed by the
> GeoTrust Global CA root.
> There is a pending request (bug #1325532) from Google to add a Google
> root certificate to NSS. Given the inadequacy of Google's current
> information on reporting security problems, I have doubts whether this
> request should be approved.
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>.
> David E. Ross
> President Trump: Please stop using Twitter. We need
> to hear your voice and see you talking. We need to know
> when your message is really your own and not your attorney's.
We are investigating the issue and will provide a update when that
investigation is complete.
Thank you for letting us know.
dev-security-policy mailing list