[cabfpub] Server certificate domain validation bug
Robin Alden
robin at comodo.com
Fri Jul 29 10:54:15 MST 2016
We received a report of bugs in the construction of the emails we send out
in order to confirm authorization by the domain name registrant prior to
issuing a server certificate.
Colloquially these are known as Domain-Control Validation Emails.
The security researcher, Matthew Bryant, followed a responsible disclosure
process and we were afforded the opportunity to resolve this bug before he
published his blog post at
https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-
certificates-from-comodo-via-dangling-markup-injection/index.html
We are pleased to report that no certificates were issued contrary to the
terms of our CPS.
We have informed our external WebTrust auditors of the report and of its
resolution.
We will be further engaging with external security consultants to ensure
that our systems remain secure so that we may continue to meet our policy
obligations.
Regards
Robin Alden
Comodo
This email has also been posted to
mozilla-dev-security-policy at lists.mozilla.org
<mailto:mozilla-dev-security-policy at lists.mozilla.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160729/af815f4c/attachment.html
More information about the Public
mailing list