On Wednesday, 25 July 2018 21:08:59 UTC, michel.le...@gmail.com wrote:
> Hello,
>
> My domain registrar who is also a certificate authority just issued a
> precertificate (visible in CT logs) and a valid
> certificate for my domain. This is part of their new offer to automatically
> offer free
Le 15/03/2018 à 20:04, Wayne Thayer a écrit :
This incident, and the resulting action to "integrate GlobalSign's certlint
and/or zlint into our existing cert-checker pipeline" has been documented
in bug 1446080 [1]
This is further proof that pre-issuance TBS certificate linting (either by
> During final tests for the general availability of wildcard
certificate support, the Let's Encrypt operations team issued six test
wildcard certificates under our publicly trusted root:
>
> https://crt.sh/?id=353759994
> https://crt.sh/?id=353758875
> https://crt.sh/?id=353757861
>
> Therefore, it is not unreasonable to assume that this key has been
> compromised.
So it means that any private keys generated on that website could be
compromised:
- If any third-party JS were compromised (and we know how insecure
js-based ads are - last time it was a crypto miner on
It can be confusing even for people following these things. That's where I
think collecting problem reporting info from audited sub-CAs in CCADB would
help.
For everyone else, finding the correct problem reporting information is
mostly a matter of luck. Perhaps we should require an email address
The thing is, extraneous names on a certificate present a subtle
security flaw, even if control over those names was validated properly
I agree, if the user is not fully aware of these addition, it can add
subtle security flaw such as "virtual host confusion attacks" (
Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that
organization bought or built it with an expectation of at least the possibility
of commercial success (profit). The organization's long term success requires
inclusion in major root programs.
For information,
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla (crt.sh issuer are marked trusted by
The "www..*" search is also intersting, I think:
https://crt.sh/?dNSName=www..%25
crt.sh IDLogged At ⇧ Not Before IdentityIssuer Name
397448732016-10-02 2012-12-29 www..coinfling.com
386479982016-10-01 2011-03-24
On 27 June 2017 at 11:44, Alex Gaynor via dev-security-policy
wrote:
> I'll take the opposite side: let's disallow it before it's use expands :-)
> P-521 isn't great, and there's really no value in proliferation of crypto
> algorithms, as someone told me:
10 matches
Mail list logo