[security] SL comprimise
Mike Hanson
mhanson at mozilla.com
Thu Mar 24 17:08:03 UTC 2011
Thanks for the clarification, Phillip.
m
On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:
> No login servers were affected.
>
> Several domains on which the servers are deployed were affected but not the login servers.
>
>
>
> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <mhanson at mozilla.com> wrote:
> Comodo has posted a detail incident report here:
> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
>
> Several login servers were affected.
>
> -MH
>
>
> On Mar 24, 2011, at 7:09 AM, John Bradley wrote:
>
> >
> >
> > http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
> >
> > The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open.
> >
> > In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode)
> >
> > So perhaps encouraging people to perform those checks would be a good idea.
> >
> > We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised.
> >
> > John B.
> >
> >
> > _______________________________________________
> > security mailing list
> > security at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-security
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>
>
> --
> Website: http://hallambaker.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/a5326f16/attachment.html>
More information about the security
mailing list