I'm not sure if this is the appropriate place to post this topic, but I felt like this is important.
I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain via crt.sh. Naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller - Namecheap, after reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ). Quote: ``` Hello Richard! Thank you for clarifying. Regretfully, revocation can only be done with the authorization of certificate owner (i.e. the same details are required for it). The certificate in question is not installed on your hosting, so it will not affect your domain name any way. Unless the person with the access to the certificate hacks your hosting access, he will not be able to use it. As the extra measure, you can also prohibit that certificate usage with CAA DNS record or HPKP header. ``` Even after ticket escalation, they're just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and "there is no need to worry about the security of your website and the information transmitted via Internet". So, according to Namecheap's statement, Wosign accident is just a fraud and people obtained github.com's certificate will do absolutely no harm to Github. I will post the whole reply Namecheap sent me if someone requested. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
