[SSL Observatory] did they generate impostor EV certs?
Hodges, Jeff
jeff.hodges at paypal-inc.com
Thu Mar 24 15:42:53 PDT 2011
> From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On Behalf Of
> Jacob Appelbaum
>
> On 03/24/2011 03:19 PM, Hodges, Jeff wrote:
> > I note that the legit certs presented by <https://login.live.com/>
> > and <https://addons.mozilla.org/> are regarded as EV certs by
> > browsers -- are the impostor certs for those two domains also treated
> > as EV? Has anyone tested this?
> >
>
> The certs have now been disclosed by Mozilla; Comodo still hasn't
> released any more information as far as I've seen.
>
> Here's the Mozilla bug that was opened when Comodo contacted Mozilla:
> https://bugzilla.mozilla.org/show_bug.cgi?id=642395
>
> Here's some of the certs:
> https://bugzilla.mozilla.org/attachment.cgi?id=519863
Indeed (thanks).
It's worth noting this message from the Mozilla Cert Program Manager (Kathleen Wilson)..
https://groups.google.com/group/mozilla.dev.security.policy/msg/eeee5c49eb50fa49
=JeffH
More information about the Observatory
mailing list