|
almost as though people have been standing by waiting for a reason to stick a knife in them
|
# ? May 1, 2024 20:37 |
|
|
# ? May 3, 2024 08:33 |
|
shackleford posted:like the "maybe we will consider establishing a process to review our contact details in the database once a year" thing where another CA piped up with "actually here is the chain of rules that result in requiring your contact details to be kept up to date within 14 days" anyway they can figure all of that out themselves i'll just remind me of these details after their formal report. you can include these sections in advance for the timeline if you're reading this btw
|
# ? May 1, 2024 21:12 |
|
flakeloaf posted:almost as though people have been standing by waiting for a reason to stick a knife in them the night of the EV knives
|
# ? May 1, 2024 22:08 |
|
oooh interesting: DigiCert: Incorrect case in Business CategoryMartin Sullivan posted:On 29th of April 2024 a DigiCert employee received a personal call from a Sectigo employee. During the call, Sectigo mentioned that they had seen some issues with the case sensitivity of entries in the business category for some EV certificates. This was escalated internally, and an investigation was started.
|
# ? May 1, 2024 23:25 |
Lately Google has been pushing for a new TLS Trust Expressions system in the IETF. Their recommendation is still in the draft phase, but it would be really relevant to this if it winds up going through and gets adopted: https://datatracker.ietf.org/doc/draft-davidben-tls-trust-expr/David Benjamin / Google posted:Subscribers typically provision a single certificate for all Basically - present multiple different certs depending on what trust requirements the recipient will accept. Entrust could intend to hold out for something like this so they can still issue certs in a weird multi-cert model, even if they wind up facing distrust here. Saturnine Aberrance fucked around with this message at 23:37 on May 1, 2024 |
|
# ? May 1, 2024 23:35 |
|
|
# ? May 2, 2024 00:08 |
|
Wiggly Wayne DDS posted:so entrust's pr team added themselves to the cc list on the snowballing issue involving ben. i gather they didn't realise that's all public.. lol
|
# ? May 2, 2024 00:19 |
|
lmao
|
# ? May 2, 2024 01:00 |
|
holy gently caress lmao
|
# ? May 2, 2024 01:16 |
|
|
# ? May 2, 2024 01:23 |
|
got an email from Dropbox sign:quote:Hello, great job all around
|
# ? May 2, 2024 02:02 |
|
lmao
|
# ? May 2, 2024 04:55 |
|
every single dropbox product or service that isn’t just a folder that syncs, is complete and utter dog poo poo
|
# ? May 2, 2024 07:09 |
|
they really dropped the box this time
|
# ? May 2, 2024 11:59 |
|
Wiggly Wayne DDS posted:
SeaborneClink posted:https://www.sectigo.com/resource-library/root-causes-260-ca-trustcor-deprecated Thx for sharing this, I'm not a security person but found this a pleasant listen.
|
# ? May 2, 2024 16:30 |
|
some things happened today: - Entrust provided an incident report for Entrust: Not updating Problem Reporting Mechanism fields in CCADB... to say it is light in any concrete information is too kind. - Some update on 'revocations': 2024-05-02 12:16: (delayedRevoc cPSuri): Update on the revocation progress: 14,736 certificates have been revoked or expired. 2,130 certificates have been re-issued with revocation pending. 866 out of 944 customer accounts have fully remediated the issue (certificates re-issued and old certificates revoked). 2024-05-02 12:18: (delayedRevoc serverAuth EKU): Update on the revocation progress: 310 certificates have been revoked or expired. 15 certificates have been re-issued with revocation pending. 101 out of 114 customer accounts have fully remediated the issue (certificates re-issued and old certificates revoked). - This puts them at 55.26% revoked on cPSuri (26,668 certs) after revocation allegedly started 2024-03-19 (44 days). - This puts them at 26.36% revoked on serverAuth (1,176 certs) after revocation allegedly started 2024-03-20 (43 days). - The ongoing discussion about Entrust is currently split over 2 issues atm, latest comment is: https://bugzilla.mozilla.org/show_bug.cgi?id=1890896#c23
|
# ? May 2, 2024 16:54 |
|
holy lol at the TrustCor thread. tl;dr version: q: hey trustcor, u scammin? a: [giant wall of text about defence contractors and governments being in bed together, along with some thinly veiled threats of legal action]
|
# ? May 2, 2024 16:58 |
|
Wiggly Wayne DDS posted:some things happened today: Enterprise: "we use public web PKI for reasons" Wayne: "so should it be secure" Enterprise: "no comment"
|
# ? May 2, 2024 21:38 |
|
fins posted:holy lol at the TrustCor thread. i particularly enjoyed this part quote:Based on that understanding (and again, please let me know if any of that is incorrect), I personally believe it's possible that Rachel may be a victim here, if she really is the primary TrustCor shareholder (e.g., maybe the company was given to employees, after it was no longer useful). If TrustCor's private keys were compromised at its founding or before (e.g., so that Packet Forensics could sell TLS-interception boxes), the company itself would have little continued value, so long as it passed its audits (and remained trusted by browsers and operating systems). It's therefore possible that Rachel had no awareness of this, and as a result is in the denial phase of realizing that she's the victim of a scam. This is not a statement of fact, I'm just offering it as a possibility. quote:To now theorize and publicly suggest that "I am in a denial phase of realizing that I am a victim of a scam" is disrespectful and outlandish. I think you're taking this too far by making claims against me personally and I don't think its a good representation of your professionalism. You've forced us to be in a position to defend our company, but putting me in a position to have to defend myself personally is crossing the line. Would you have made the same assumption if I were a man? bared witness lmao
|
# ? May 2, 2024 21:50 |
|
Raymond T. Racing posted:Enterprise: "we use public web PKI for reasons" "maybe you should pick CAs who don't have huge shoes and red rubber noses"
|
# ? May 2, 2024 22:02 |
|
shackleford posted:i particularly enjoyed this part
|
# ? May 2, 2024 22:05 |
|
when you've seen the whole witness
|
# ? May 2, 2024 22:07 |
|
shackleford posted:i particularly enjoyed this part lol "hey, maybe you didn't know that someone was abusing your keys this way" "nuh-uh, I was totally aware of and involved in any abuse that happened, including the very clearly documented case that prompted this discussion"
|
# ? May 2, 2024 22:12 |
|
i didn't read the thread, is trustcore just rachel in a trenchcoat or something
|
# ? May 2, 2024 22:39 |
|
Shame Boy posted:i didn't read the thread, is trustcore just rachel in a trenchcoat or something would you ask that question if she were a man?
|
# ? May 2, 2024 22:41 |
|
spicy posts from the poo touchers itt
|
# ? May 2, 2024 23:40 |
|
so i found what looks to be her linkedin profile and apparently she went from "Office Administrator" to "Volunteer Coordinator & Event Operations" to observing CA HSM key ceremonies. good for her
|
# ? May 2, 2024 23:50 |
|
Lain Iwakura posted:who was the last root to lose trust like this? it feels like it has been a few years Also E-Tugra in https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/yqALPG5PC4s
|
# ? May 3, 2024 03:31 |
|
secfuck: we have no updates for this week and will continue to monitor the bug
|
# ? May 3, 2024 04:00 |
|
Applebees posted:Also E-Tugra in https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/yqALPG5PC4s The linked issue in buganizer was a fun read of watching someone continuously avoid answering questions or intentionally misunderstand them. I did actually laugh when I saw the "executive summary" provided for their pen test.
|
# ? May 3, 2024 04:44 |
|
^^ yupfins posted:holy lmao at the pen test reports. this is pretty much the entirety of the reports. page 1, cover page. page 2, blurb + these graphs. page 3, graph legend. there is no page 4.
|
# ? May 3, 2024 04:52 |
|
Thank you for choosing Lostar Information Security Inc. I just realized; they kept saying they were going to get a company that wasn't Turkish so that there wouldn't be any bias, and they picked... A Turkish company (or at the very least the Turkish branch of one)
|
# ? May 3, 2024 04:59 |
|
|
# ? May 3, 2024 08:33 |
|
Volmarias posted:The linked issue in buganizer was a fun read of watching someone continuously avoid answering questions or intentionally misunderstand them. I did actually laugh when I saw the "executive summary" provided for their pen test. https://bugzilla.mozilla.org/show_bug.cgi?id=1801345#c45 I don't think I ever saw that when I was following the bug last year. Probably because it was in an attachment. This is what the root stores had requested and had been kept waiting six months for. From the summary, it sounds like the testers just ran some scans and called it a day. Then why did it take three months to analyze? I don't know. quote:E-Tugra EBG Information Technologies and Services Inc. Penetration tests of the systems
|
# ? May 3, 2024 06:38 |