onal and has little technical meaning except for identifying
the cert) I feel there shouldn't be rules that make this info
needlessly long.
[1]
https://community.letsencrypt.org/t/lets-encrypt-new-hierarchy-plans/125517/18
--
Hanno Böck
https://hboeck.de/
___
one might want (see also previous mails) and the
mime types are one more observation I made where things aren't what they
probably SHOULD be.
I thought I'd share this observation with the community.
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy m
/?id=206075223
[2]
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/g09ZgCRPVe0
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
and make sure they are served as application/pkix-cert.
[1] https://pki-tutorial.readthedocs.io/en/latest/mime.html
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org
server for intermediate certs.
Checking OCSP for intermediates is less common than checking OCSP for
end entity certificates.
So there is a difference. However I still believe OCSP servers should
not be offline for longer periods of time in both cases :-)
--
Hanno Böck
https://hbo
Update:
All 4 CAs have corrected the certs and are now serving DER
encoded intermediates at the URLs.
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev
ol behaves[1]).
Not saying this is a particularly severe impact, however it took me
some time figuring out what's going on there.
It may very well that others have experienced impact that they were
unable to explain.
[1] https://gitlab.com/gnutls/gnutls/-/issues/981
--
Hanno Böck
https
Hi,
On Mon, 11 May 2020 10:53:26 +0200
Hanno Böck via dev-security-policy
wrote:
> I did some checks on certificates and their AIA sections and noticed
> that several Microsoft certificates were referencing intermediate
> certificates in the "CA Issuer" field that give a 4
http://sslserver.twca.com.tw/cacert/secure_sha2_2014.crt
I have informed all 4 CAs via their problem reporting mechanism from
CCADB.
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https
tent types linke text/html also happen.)
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
).
I have informed Microsoft through the contact mail address in the CCADB.
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
s this [2] certificate with the same key that apparently got
revoked on the 19th.
I strongly recommend Let's Encrypt (and probably all other CAs)
blacklists that key if they haven't already done so.
[1] https://crt.sh/?id=2603336468
[2] https://crt.sh/?id=2574981982
--
Hanno Böck
https://
or less valuable certificates.
--
Hanno Böck
https://hboeck.de/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
ts justify some acceleration.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/de
Either the Reuters story is false or your CEOs statement is false. They
can't both be true.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
his means you can't have a valid host name that is just
xn--[something]. You can only have it if it is also a valid IDN name.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-securi
ok at
the security of CA issuance web systems.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozill
f opportunity for the
affected CAs to explain and improve things before a distrust was
even considered. It was repeated failures and a long list of issues
that led to the distrust.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE7375
://crt.sh/?id=287530764
I noticed that a new certificate for a different domain, but with that
same private key has been issued:
https://crt.sh/?id=638323656
I tried to report it to rev...@digicert.com - but that address was
replying with an error message...
--
Hanno Böck
https://hboeck.de/
mail
18 GMT
Next Update: Aug 11 15:34:50 2018 GMT
crt.sh also says "Good" on OCSP:
https://crt.sh/?id=630835231=ocsp
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy
day. Thus we're way past the 24 hour in which they
should revoke it.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mo
ssible
key combinations that could be generated with the Debian bug. There may
be more certs in the logs.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-secur
SL/status/969302576649908226
So hereby I'd like to ask Comodo:
* Do you have any security vetting of your certificate reseller
partners? Do you expect them to follow good security practice?
* Do you believe - given the events of recent days - that Trustico
follows good security practice?
--
H
it, but it sounds legit.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
d if I understand it right all of those examples
should be able to work on top of existing validation.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing
part of OneCRL and revoked they're no longer bound to any standards
at all.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mo
added to
OneCRL, but I think this deserves more clarification what's going on
here.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@l
hanced", which is
a subca of Baltimore Cybertrust, which belongs to Digicert.
Source: https://twitter.com/OhDearApp/status/960520419831894016
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
de
ted by Mozilla, ..." was referring to the chapter above,
i.e. the three Startcom+Wosign certs, not the whole mail.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailin
yet.
Old bugs never die, I recommend every CA adds a check for the Debian
bug to their certificate issuance process.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy ma
y outside
a small circle of people knows what that is.
I think if people try the "natural" way of contacting a certificate
issuing entity this should lead to a successful outcome. (And that is
more or less "This has been issued by X, so I try to contact X".)
--
=accbb60afe2d28949e21d76f298a2f20c0a24488ad0980ea31b4c0e04b952879
I reported this to Comodo earlier today and the certificate got revoked
very quickly. It was pointed out to me that Comodo ITSM was developed
by Comodo Security Solutions and that Comodo CA played no part in the
development of that software.
--
Hanno
kinda okay. The cleaner solution is to connect via http
and the localhost IP (127.0.0.1), which should not throw mixed
contentwarnings - however not all browsers support that yet.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21
them aware, but I have no knowledge of what happened
afterwards.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
htt
itted by some third party. (everyone can do so.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists
Thanks, I also got it in the meantime and submitted it to CT:
https://crt.sh/?id=287530764
Bugreport:
https://bugzilla.mozilla.org/show_bug.cgi?id=1427034
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
cate... which doesn't appear on
> crt.sh yet
I'm not able to reproduce this. Right now if I install battle.net I
don't get a listening port on 22886 at all. Can you please export the
certificate and send it here?
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA
users who followed these instructions.
Starting January 1st all lawyers in Germany have to use this beA
software.
Article in German:
https://www.golem.de/news/bea-bundesrechtsanwaltskammer-verteilt-https-hintertuere-1712-131845.html
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hbo
ow_bug.cgi
Cert EA:
https://crt.sh/?id=54134792
Bug Blizzard:
https://bugzilla.mozilla.org/show_bug.cgi?id=1425166
Cert Blizzard:
https://crt.sh/?id=26142
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA58800
should be to have one security level that is the
default (HTTPS+DV) and make that as secure as possible. The community
should therefore try to strengthen the CA ecosystem as a whole and not
try to make any "special" certificates.
--
Hanno Böck
https://hboeck.de/
m
y not concerned about the people following these things
closely and are members of this list, but about random other people who
happen to find problems. It surely seems beneficial for the certificate
ecosystem to make sure that they can easily find the right place to
report problems.
--
Hann
ts brought to the subca are properly handled?
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/li
cause.
Best regards,
StartCom Certification Authority
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
are taken seriously.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
a single IP or fqdn, but don't really
consider the case that 2 CNs can be present), though this is
clearly malformed.
I have informed telesec / Deutsche Telekom about this (this is
indirectly signed by them) via their contact form.
I haven't checked if other such certificates exist.
--
Hanno Böck
7-make-caa-checking-mandatory/
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/de
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
for revocation (and I
could revoke it myself, given that I have the private key).
I have also tried to get a cert with a debian weak key from the
free trial offerings from Comodo and Symantec. Both rejected the
request.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG
or the software to be fixed/replaced.
I'm more worried by this statement than by the actual bug.
If you're a CA and are not able to fix a bug in your product in a timely
manner then you probably shouldn't be a CA.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha..
On Tue, 18 Jul 2017 21:43:28 +0200
Hanno Böck via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> It has this commonname:
> commonName= .guidedstudies.com
>
> Well... that's also not a valid hostname...
And of course it's not t
This one
https://crt.sh/?id=637932
is also interesting.
It is not expired, but revoked.
It has this commonname:
commonName= .guidedstudies.com
Well... that's also not a valid hostname...
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboe
and looping through tlds - I only searched for ..tld. It
would certainly be valuable to search further.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev
s? public keys? spki hashes? share it in public
or only between CAs?).
Ultimately I'm inclined to say that there really shouldn't be any good
reason at all to ever reuse a key. (Except... HPKP)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BB
of the specific certificates. It's up to mozilla
when they'll open it, but from my side I think this can go public.
[1] https://wiki.mozilla.org/CA/Communications#April_2017_Responses
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1378074
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
on in apache soon.
Also CII is interested in funding efforts that improve the state of ocsp
stapling.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy maili
e error message
looks to me that it's web webpages certificate, not the root, that's
signed with sha1. But I may be wrong, would have to check.
Sometimes error messages are misleading and sometimes strange things
happen when websites send all kinds of wrong certs within a chain.
--
Hanno Böck
ht
eing that error message?
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
cause the certificate format X.509 requires certificates to
have a signature on themselve.
Therefore afaik it's generally considered okay if root certificates have
SHA1 signatures. You probably wouldn't create new ones with such
signatures, but there is no risk for the ecosystem in keeping existing
rves. If you want more secure curves look
at them and push standards forward so they can be used within X.509.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mail
g, but at least they seem to not issue certs for
other people's domains.
* There's one cert issued by "SHECA" which is itself an intermediate
signed by "UniTrust". It's issued for a public IP. UniTrust seems to
be accepted by Apple+Microsoft, but not
happened it would've made some noise.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
d by that at all.
(By the way I always found the "secret server name" idea wrong and I
would generally recommend against local CAs in almost all cases. It
adds a lot of complexity and I assume it often creates more problems
than it solves.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@
all
requirements combined. It also probably means that diverity in CT
requirements between different browsers doesn't make a whole lot of
sense.
So one could ask: Should mozilla just say "we agree with everything
Chrome does" ?
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
Hello,
I think I have asked two reasonable questions here.
Can we get an answer?
On Tue, 4 Oct 2016 14:33:38 +0200
Hanno Böck <ha...@hboeck.de> wrote:
> There seem to be more certificates of that kind that weren't mentioned
> in the incident report. Here's a .re / www.re certific
will be
expired. The number of the remaining ones is probably low enough to
make whitelisting feasible.
I haven't checked CT logs for expiration dates, so this is more a
guess, but given the history of cert issuance and the reasonable
assumption most certs used the free option this seems plausible.
--
H
e issue?
The First Data request sent to the cabf list indicates that they
started the transition in 2014.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgp1EidDY0jk3.pgp
Description: OpenPGP digital signature
?
Also my understanding is that the error here was that control over the
www.[domain] subdomain would indicate control over [domain]. Does that
mean that this bug could've been used to also get wildcard certificates
in the form of *.[tld]?
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha
[2] https://twitter.com/ryancdotorg/status/780470538686697472
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgppRcHcrXVwf.pgp
Description: OpenPGP digital signature
___
dev-security-poli
oogle page.
Maybe it'd be a good idea to provide a link to an alternative archive
option? The list is archived mail-archive.com:
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B93757
ents it
and it may reduce misissuances.
I'm inclined to say every CA should implement CAA, but it seems last
time this was discussed in the CA/Browser-Forum they agreed to make
this a SHOULD, not a MUST.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B93757
to
see at the very least some very clear and specific guidelines on how to
filter or escape them. What I'd like to have is something that can be
checked and pointed out by security researchers if it isn't done.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpzF
mails must not use HTML and must not contain any
user-controlled content.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpSoV7OKCqEc.pgp
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev
e could've been avoided if people hadn't
deployed sub-standard crypto implementations. SHA2-based certificates
were available since the 90s.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpXmlpWewtfi.pgp
Description: OpenPGP di
.
Is your collection public?
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpDmYuGYC_SO.pgp
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https
74 matches
Mail list logo