I contacted CPA Canada in early 2017 about XSS and some other issues on cert.webtrust.org.
They did not fix the issues but stated: > CPA Canada is currently working on upgrading the WebTrust site to > enhance the security. As of April 2018 the issues were still unfixed. I wonder if the limited access is part of those security "enhancements"? PS: This change also breaks "legitimate" WebTrust Seal links when either the website or the web browser is configured to not send the "Referer" header. jomo On 10.8.18 01:19, Kathleen Wilson via dev-security-policy wrote: > All, > > In their effort to better protect WebTrust seals, CPA Canada has made > it so we can no longer access WebTrust pdf files directly from the CCADB. > > I received the following response when inquiring about this. > “” > Thank you for contacting Chartered Professional Accountants of Canada. > You can no longer link directly to PDF documents. You will need to go > to the registered website where the seal is provided and click on the > seal to obtain the document (e.g. audit report). > Also, we are now enforcing the domain requirement when a seal is > opened. Domain enforcement is essential to the program to prevent > fraudulent use. It ensures that the WebTrust seals will only function > on the certificate authority’s websites. > If a seal is opened from a non-registered domain or other source (e.g. > email, internal lists, etc.) the seal will not load and will display a > notice indicating that the domain is not valid. > “” > > Therefore, for the foreseeable future, please do the following when > creating an Audit Case in the CCADB for WebTrust audits. > > 1) Make the PDFs of the audit statements available directly on your > CA's website. > OR > Upload your audit statement PDF files to Bugzilla, as described here: > https://ccadb.org/cas/fields#uploading-documents > > 2) For the audit statement link in your CCADB Audit Case either > provide the URL to the PDF on your CA's website, or use the link to > the document in Bugzilla. > > 3) Add a Audit Case Comment to indicate the URL where the WebTrust > seals may be found on your CA’s website. > > 4) When you run the Audit Letter Validation (ALV), you can ignore the > “Cleaned=Fail” ALV result. I will check the seal on your website > manually, and add a comment to the Audit Case. > > > Also, the cert.webtrust.org audit links that are currently in the root > cert records and the intermediate cert records in the CCADB no longer > work either. Fortunately we started archiving audit statements this > year. So you can scroll down to the “File Archive…” section of the > record, and you will be able to find the stored audit pdfs. > > Thanks, > Kathleen > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
