Hi,
While I was connected to an IPv6-only network I noticed, that some CAs
(e.g. Amazon, DigiCert, GoDaddy, QuoVadis) do not provide IPv6 on their
CRL and OCSP endpoints. This means that certificate revocation does not
work if you have no IPv6 or, depending on your security policy (e.g.
require va
Hi
Thanks for investigating.
First of all, my previously curl command is not suitable to verify a
OCSP status. It only works for OCSP stapling which is not supported by
Google servers.
You may use openssl ocsp instead:
openssl ocsp -issuer [GoogleInternetAuthorityG2.crt] -cert
[googlecom.crt] -ur
Hi
Google delivers the certificate [1] to me, for *.google.com,
*.youtube.com and other major services.
However, the OCSP service [2] does not work for me. I verified this from
multiple locations, machines, OSes and versions of Firefox. Furthermore,
I used SSL Labs [3] and the status on crt.sh [1]
Hi
Does this also affect the root CA of StartCom Class 4 (EV) and Class 3
(OV) certs?
Regards,
Jonas
Am 30.11.2016 um 21:32 schrieb
certificate-authority-prog...@group.apple.com:
> We are taking further actions to protect users in an upcoming security
> update. Apple products will block cert
The affected cert has been logged here: https://crt.sh/?id=34242572
Am 24.09.2016 um 02:33 schrieb Richard Wang:
> First, I must make declaration that I don't know "Showfom", and I don't know
> if he/she is a WoSign customer.
>
> As I said in my final statement that I wish all Mozilla trusted CA
I think that's the security.pki.sha1_enforcement_level pref [1][2].
Regards,
Jonas
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c35
[2]
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/
Am 16.09.2016 um 16:53 schrieb therickf...@gma
Of course, adding the affected certs to OneCRL should be done immediately.
WoSign also has to be transparent about all (mis) issued certs in the
past and have to provide this info in the future.
If they can't, I think we may consider if the current certs that are
valid for 3 years should be restri
Hi
As far as I know we have the following status:
> Add a security warning to the Web Console to remind developers that
they should not be using a SHA-1 based certificates
Has already been fixed. But currently SHA-1 is only exposed in the
console, not on the lock icon so far.
> Show the “Untrust
JFYI:
https://oalmanna.blogspot.com/2016/03/startssl-domain-validation.html
https://startssl.com/NewsDetails?date=20160322
https://startssl.com/NewsDetails?date=20160323
Regards,
Jonas
signature.asc
Description: OpenPGP digital signature
___
dev-secur
Hi
We're already having some discussions about SHA-1, but I'll split this
up into a new thread.
The initial goal of bug 942515 was to mark certs as insecure, that are
valid 'notBefore >= 2016-01-01' (means issued to use in 2016+) AND also
for certs that are valid 'notAfter >= 2017-1-1' (means sti
We failed because of MITM certs:
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/
But you can set security.pki.sha1_enforcement_level manually.
Am 16.01.2016 um 00:16 schrieb gdelgad...@gmail.com:
> it's early 2016 and wondering if a decision ha
I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP.
The later one is not that far away [1].
Maybe it's the right time to consider them?
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105
Am 05.11.2015 um 19:46 schrieb Kathleen Wilson:
> The next two topics to discuss [1] have
It seems that we are going to untrust SHA-1 generally on July 1, 2016
[1]. Do we already have a bug number for this? I can't find any.
I think certificates with 'notAfter >= 2017-7-1' should get a triangle
instead of the lock icon from now.
[1]
https://blog.mozilla.org/security/2015/10/20/continui
Hi
AFAIK we didn't have any Root Inclusion Request from Let's Encrypt yet.
Did I miss something?
Regards,
Jonas
signature.asc
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://li
There was also a plan for certificates with 'notAfter >= 2017-1-1'
(still valid in 2017+).
Chrome already shows a broken https icon for them.
See https://sha1-2017.badssl.com/
This was discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=942515
Am 21.10.2015 um 10:17 schrieb Kurt Roeckx:
Yes, some hosts are pinned:
https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json
MITM is *always* bad and breaks the web. Modern browsers, especially
Firefox, have great features to protect the users and this is something
good. I'm pretty sure your students d
Thank you!
Please inform me if you were successful.
Regards,
Jonas
Am 06.02.2015 um 16:43 schrieb Medin, Steven:
> I will contact the Swiss BIT and discuss.
>
> Kind regards,
> Steven Medin
> Product Manager, Identity and Access Management
> Verizon Enterprise Solutions
>
>
> -Original Me
Hi all
A few weeks ago, I got some mails about a broken iframe. The secure
connection to the remote server failed (OCSP error). The site was signed
by Swiss Government SSL CA 01. I contacted the technical support and
they told me, that the Federal Office of Information Technology, Systems
and Tele
Am 22.09.2014 um 14:56 schrieb Henri Sivonen:
> On Wed, Sep 17, 2014 at 6:20 PM, Richard Barnes wrote:
>> -- Use of ciphersuites with forward secrecy
> Yes, but I think it makes sense to go further with ciphersuites. At
> minimum, RC4 should not qualify, but given how easy it is to enable
> AES-G
ka wrote:
>> On Sat, 06 Sep 2014 16:34:06 +0200, Sjw wrote:
>>> Hi everyone
>>>
>>> At present, there are a lot of articles, that the weak SHA1
>>> certificates
>>> with a long duration will be marked as weak/insecure in some browsers
>>&
Hi
I would support your idea, but it's quite hard to implement it. If a
server use TLS 1.2 and HSTS, you still don't know if the connection is
really secure.
But it would be easier if Firefox would show more details about
protocol, ciphers etc.
Am 17.09.2014 um 17:20 schrieb Richard Barnes:
> He
Hi everyone
At present, there are a lot of articles, that the weak SHA1 certificates
with a long duration will be marked as weak/insecure in some browsers
soon and in a few years they won't be accepted anymore.
Does Mozilla have similar plans? Sadly I can't found a similar option in
current Nightl
22 matches
Mail list logo