[SSL Observatory] SSL CA compromise in the wild

Matt McCutchen matt at mattmccutchen.net
Wed Mar 23 10:37:15 PDT 2011


On Wed, 2011-03-23 at 10:32 -0700, Jacob Appelbaum wrote:
> On 03/23/2011 10:31 AM, Matt McCutchen wrote:
> > On Wed, 2011-03-23 at 10:29 -0700, Jacob Appelbaum wrote:
> >> On 03/23/2011 08:26 AM, Steve Schultze wrote:
> >>> Hey Jacob, in your post you say:
> >>>
> >>> "Mozilla offered some additional information and disclosed that addons.mozilla.org was one of the certificates acquired by the attacker. "
> >>>
> >>> Where did they disclose that?  I don't see it in their blog post.
> >>>
> >>> Nice work btw.
> >>
> >> They disclosed this in a bug report:
> >> https://bugzilla.mozilla.org/show_bug.cgi?id=643056
> > 
> > Which is not open to the public.
> > 
> 
> Yeah, isn't that interesting too?
> 
> I would mark the bug as public but I am not able to do so.

Point is, I wouldn't say "Mozilla disclosed".  Maybe "Mozilla told me
privately".

-- 
Matt




More information about the Observatory mailing list