...@sleevi.com]
Sent: Monday, January 15, 2018 4:56 PM
To: Doug Beattie <doug.beat...@globalsign.com>
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Gervase
Markham <g...@mozilla.org>; Wayne Thayer <wtha...@mozilla.com>
Subject: Re: Possible Issue with Domain V
On Mon, Jan 15, 2018 at 4:54 PM, Eric Mill wrote:
> I can only go on what's on the public list, but if it is as it appears and
> GS proactively researched their offering, identified a similar weakness via
> a separate BR method, and voluntarily turned off their implementation
sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org;
> Gervase Markham <g...@mozilla.org>; Wayne Thayer <wtha...@mozilla.com>
> *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared
> hosting environment
>
>
>
>
>
>
>
> On Mon, Jan
On Mon, Jan 15, 2018 at 4:22 PM, Ryan Sleevi wrote:
>
>
> On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> That said, GlobalSign's offer to cut certificate lifetimes down to X
>> months
>> during the
Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy
<dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>>
wrote:
Ryan,
I’m not sure where we g
On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> That said, GlobalSign's offer to cut certificate lifetimes down to X months
> during the short-term, and to make sure OneClick is disabled within Y
> months from now, seems like a
On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Ryan,
>
> I’m not sure where we go from here.
As suggested, we encourage you to work on devising technical mitigations or
alternative methods of validating such certificates
On Mon, Jan 15, 2018 at 2:30 PM, Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Jan 15, 2018 at 1:18 PM, Doug Beattie >
> wrote:
>
> >
> > - The potential risk in maintaining this whitelist, given both the
> >
> -Original Message-
> From: Nick Lamb [mailto:n...@tlrmx.org]
> Sent: Monday, January 15, 2018 2:39 PM
>
> > - Total number of active OneClick customers: < 10
>
> What constitutes a OneClick customer in this sense?
These are web hosting companies that receive certificates for
ists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
(Wearing a Google Hat)
Doug,
Thanks for sharing additional details. On the basis of what you've shared so
far, we do not beli
On Mon, 15 Jan 2018 18:18:10 +
Doug Beattie via dev-security-policy
wrote:
> - Total number of active OneClick customers: < 10
What constitutes a OneClick customer in this sense?
The focus of concern for tls-sni-01 was service providers who
...@mozilla.com>; Gervase Markham <
> g...@mozilla.org>; r...@sleevi.com; mozilla-dev-security-policy@
> lists.mozilla.org
> *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared
> hosting environment
>
>
>
> (Wearing a Google Hat)
>
>
Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
(Wearing a Google Hat)
Doug,
Thanks for sharing additional details. On the basis of what you've shared so
far, we do not believe this results in an appropriate level of security for the
ecosystem, and request
Sleevi,
Valid point, no intention to confuse, I have no current affiliation with
GlobalSign, though I once did.
The documentation that described the protocol seems to no longer be online,
the behavior is observable and has been discussed in the validation working
group within the CABFORUM so it
On Sat, Jan 13, 2018 at 8:46 PM, Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, January 12, 2018 at 6:10:00 PM UTC-8, Matt Palmer wrote:
> > On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via
> dev-security-policy wrote:
> > > I’d like to
On Friday, January 12, 2018 at 6:10:00 PM UTC-8, Matt Palmer wrote:
> On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via
> dev-security-policy wrote:
> > I’d like to follow up on our investigation and provide the community with
> > some more information about how we use Method 9.
> >
>
On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via dev-security-policy
wrote:
> I’d like to follow up on our investigation and provide the community with
> some more information about how we use Method 9.
>
> 1) Client requests a test certificate for a domain (only one FQDN)
Does
On Fri, Jan 12, 2018 at 4:24 PM, Doug Beattie
wrote:
> Wayne,
>
>
>
> We didn’t really investigate wildcard issuance yet, but we can.
>
>
>
> Given the discuss so far, we’re planning to proceed with a whitelisting
> approach tomorrow and we will plan to end the use
zilla.org>; r...@sleevi.com;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie
<doug.beat...@globalsign.com<mailto:doug.beat...@globalsign.com>>
On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie
wrote:
>
>
> Normally a web hosting provider should not let you set SNI for a domain
> someone else is using, especially on that IP address. I think this is
> where method 9 deviates from method 10.
>
>
>
I agree, it
Issue with Domain Validation Method 9 in a shared hosting
environment
Doug,
I have some questions:
c.The hosting company must allow you to manually create and upload a
CSR for a site you don’t own
Did you mean to say 'certificate' here instead of 'CSR'?
Yes, I meant to say certificat
On 12/01/18 14:52, Doug Beattie wrote:
> For shared IP address environments, it may be possible to receive a
> certificate for a domain you don’t actually control, but a number of
> things need to happen in order for this to be successful. What can
> go wrong?
Doug: what do you see as the exact
Doug,
I have some questions:
>
> c.The hosting company must allow you to manually create and upload
> a CSR for a site you don’t own
>
> Did you mean to say 'certificate' here instead of 'CSR'?
d. The user must be able to trick the hosting provider to enable SNI
> for this domain
la-dev-security-pol...@lists.mozilla.org
Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting
environment
On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy
<dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>&
On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Based on reported issues with TLS-SNI-01, we started investigation of our
> systems late yesterday regarding the use of "Test Certificate" validation,
> BR section 3.2.2.4.9.
25 matches
Mail list logo