Re: Cerificate Concern about Cloudflare's DNS

On Tue, Sep 13, 2016 at 07:04:31AM -0700, Han Yuwei wrote: > 在 2016年9月13日星期二 UTC+8下午7:12:22，Matt Palmer写道： > > On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote: > > > 在 2016年9月13日星期二 UTC+8上午8:07:31，Matt Palmer写道： > > > I am the owner of BUPT.MOE and I just use DNS service. > > > > And

Re: Sanctions short of distrust

On Monday, September 12, 2016 at 2:46:40 PM UTC-7, Ryan Sleevi wrote: > On Wednesday, August 31, 2016 at 12:43:50 PM UTC-7, Nick Lamb wrote: > > I have spent some time thinking about this, but I am only one person, and > > one with relatively little in-depth knowledge of the Mozilla project, so I

Re: Sanctions short of distrust

On 13/09/2016 16:56, Peter Bowen wrote: On Tue, Sep 13, 2016 at 7:53 AM, Ryan Sleevi wrote: We also see a variety of domains using certs from either for purposes that are ostensibly not relevant to browsers - a frequent dead give-away is a cert for autodiscover.[example.com]

Re: Sanctions short of distrust

On 13/09/2016 16:47, Ryan Sleevi wrote: On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote: A variation of this, would be to create (compacted) whitelists for specific old intermediary certs, It sounds like you haven't been following this conversation, but the entire point

Re: Sanctions short of distrust

(Apologies for shortness and lack of context. My home is being redecorated so no non-work PCs powered on) Ryan's example doesn't work, autodiscover is a sign of MS Exchange but that means OWA Outlook Web Access may be enabled. Which means web browsers see that certificate.

Re: Sanctions short of distrust

On Tuesday, September 13, 2016 at 7:56:20 AM UTC-7, Peter Bowen wrote: > I would be careful reading too much into server names. > mail.[example.com] might host web based email access. For example, > I'm typing this into a site called mail.google.com :) Apologies that the conjunctive and was not

Re: Sanctions short of distrust

On Tue, Sep 13, 2016 at 7:53 AM, Ryan Sleevi wrote: > We also see a variety of domains using certs from either for purposes that > are ostensibly not relevant to browsers - a frequent dead give-away is a cert > for autodiscover.[example.com] - which is an Exchange

Re: Sanctions short of distrust

On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote: > A variation of this, would be to create (compacted) whitelists for > specific old intermediary certs, It sounds like you haven't been following this conversation, but the entire point of restarting this thread, and in the

Re: Sanctions short of distrust

On Monday, September 12, 2016 at 8:01:36 PM UTC-7, Peter Bowen wrote: > I'm trying to think of this as potentially reusable code. Just > because IssuerA is quasi-trusted for example.com doesn't mean IssuerB > should be. From a logic perspective, setting the whitelist per issuer > means you are

Re: Sanctions short of distrust

On Mon, Sep 12, 2016 at 2:46 PM, Ryan Sleevi wrote: > > Consider if we start with the list of certificates issued by StartCom and > WoSign [...] Extract the subjectAltName from every one of these certificates, > and then compare against the Alexa Top 1M. This yields more than

Re: Cerificate Concern about Cloudflare's DNS

On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote: > 在 2016年9月13日星期二 UTC+8上午8:07:31，Matt Palmer写道： > > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its > > DNS-using (only) customers on the "off chance" that they might want to use > > their proxy services in the

Re: WoSign Issue L and port 8080

On 13/09/2016 11:50, Gervase Markham wrote: On 12/09/16 19:02, Jakob Bohm wrote: Wouldn't this fall under the general auditable requirement of being careful in their practices and procedures. Ask an auditor, and they will tell you that "be careful" is not an auditable requirement. I know