The certificate [1] in the GitHub link you posted was issued by Comodo, not by GeoTrust. The two share a private key, though, so both the Comodo and GeoTrust certs should be considered compromised at this point. I've added the Comodo-issued cert to several CT logs for tracking, and I'm CCing [email protected] for followup.
I've also found the final GeoTrust cert [2] in the git revision history and logged it (you had linked to the precertificate). According to OCSP, DigiCert has revoked the GeoTrust certificate as of 2018-08-04 07:13:32 UTC. Alex [1]: https://censys.io/certificates/04db0e79f2aa22d91f66fdea2b03193b04d1987b5ae5f3b5ce326e9539bde550 [2]: https://censys.io/certificates/de549fa946e0564e4d50f21ced16035f1dc25be26099a7add70d55efb39d5811 On Thu, Aug 2, 2018 at 11:07 PM summern1538--- via dev-security-policy < [email protected]> wrote: > Hello Ben, > > Thanks for your fast response and help. > > After a bit research I also found the source with the key: > > https://github.com/meganz/MEGAsync/blob/master/src/MEGASync/control/Preferences.cpp > > As it is public I think it should not be problem to post it here. > > Best Regards > Norbert > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
