On 1/4/16 2:19 AM, Daniel Holbert wrote:
I'm not sure what action we should (or can) take about this, but for now we should be on the lookout for this, and perhaps consider writing a support article about it if we haven't already.
I propose that we minimally should collect telemetry around this condition. It should be pretty easy to detect: look for cases where we reject very young SHA-1 certs that chain back to a CA we don't ship. Once we know the scope of the problem, we can make informed decisions about how urgent our subsequent actions should be.
It would also be potentially useful to know the cert issuer in these cases, since that might allow us to make some guesses about whether the failures are caused by malware, well-intentioned but kludgy malware detectors, or enterprise gateways. Working out how to do that in a way that respects privacy and user agency may be tricky, so I'd propose we go for the simple count first.
-- Adam Roach Principal Platform Engineer a...@mozilla.com +1 650 903 0800 x863 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
