On 10/23/2014 02:00 PM, Richard Barnes wrote:
illa and the CA/Browser Forum.
And I suspect it is related to this:
http://blog.cloudflare.com/introducing-universal-ssl/
I previously wrote "You're probably right". He was.
As of the January 2014 U. Mich scan of IPv4 space:
Number of IPv4 sit
o) the whois lists a privacy service in
Panama, so who exactly are they?!?
Original Message
From: John Nagle
Sent: Friday, October 24, 2014 12:29 PM
To: dev-security-policy@lists.mozilla.org
Reply To: na...@sitetruth.com
Subject: Re: "Cert spam", or certs with huge numbers of
On 10/24/2014 06:14 AM, Hubert Kario wrote:
On Thursday 23 October 2014 14:30:59 John Nagle wrote:
To use Cloudflare you need to transfer the domain to Cloudflare. So it's
hardly a MITM. It's a forward proxy service.
Not quite. You have to aim the DNS at Cloudflare, not transfer the
owner
On Thursday 23 October 2014 14:30:59 John Nagle wrote:
> On 10/23/2014 02:00 PM, Richard Barnes wrote:
> illa and the CA/Browser Forum.
>
> > And I suspect it is related to this:
> > http://blog.cloudflare.com/introducing-universal-ssl/
>
> You're probably right. What Cloudflare provides by
John Nagle writes:
>There's a real risk here. A break-in at any of those sites allows
>impersonating all of them. This creates a huge attack surface.
It's actually a lot worse than that, see "Virtual Host Confusion: Weaknesses
and Exploits" by Antoine Delignat-Lavaud and Karthikeyan Bhargavan
On Thu, Oct 23, 2014 at 02:30:59PM -0700, John Nagle wrote:
> On 10/23/2014 02:00 PM, Richard Barnes wrote:
>You're probably right. What Cloudflare provides by default is
> "Flexible SSL", in which Cloudflare acts as a MITM:
Cloudflare acts as a MITM for *all* SSL modes -- because it needs to
On 10/23/2014 02:00 PM, Richard Barnes wrote:
illa and the CA/Browser Forum.
And I suspect it is related to this:
http://blog.cloudflare.com/introducing-universal-ssl/
You're probably right. What Cloudflare provides by default is
"Flexible SSL", in which Cloudflare acts as a MITM:
"For a
> On Oct 23, 2014, at 4:51 PM, Ryan Sleevi
> wrote:
>
> On Thu, October 23, 2014 1:08 pm, John Nagle wrote:
>> Examine the cert of "https://www.sevendays.co";.
>>
>> Here's one of those certs with a huge number of unrelated hosts.
>> This seems to be a Cloudflare legacy setup from the pre-TLS
On Thu, October 23, 2014 1:08 pm, John Nagle wrote:
> Examine the cert of "https://www.sevendays.co";.
>
> Here's one of those certs with a huge number of unrelated hosts.
> This seems to be a Cloudflare legacy setup from the pre-TLS era.
> Unfortunately, this cert became valid on 10/09/2014. I
On Thu, Oct 23, 2014 at 01:08:25PM -0700, John Nagle wrote:
> Examine the cert of "https://www.sevendays.co";.
>
> Here's one of those certs with a huge number of unrelated hosts.
> This seems to be a Cloudflare legacy setup from the pre-TLS era.
> Unfortunately, this cert became valid on 10/09/20
Examine the cert of "https://www.sevendays.co";.
Here's one of those certs with a huge number of unrelated hosts.
This seems to be a Cloudflare legacy setup from the pre-TLS era.
Unfortunately, this cert became valid on 10/09/2014. It's
not a legacy cert.
Should certs like this be rejected as mi
11 matches
Mail list logo
