I don't think I'm giving away any big secret by revealing that the seal website is just doing an http_referer check. If you are blocked when trying to access an audit report on cert.webtrust.org, just set the referer to the CA's domain name and refresh. You can do this with any number of Firefox extensions, such as Referer Control ( https://addons.mozilla.org/en-US/firefox/addon/referercontrol/).
Now if only it were that easy to access prior period reports... On Thu, Aug 9, 2018 at 4:47 PM Ryan Sleevi via dev-security-policy < [email protected]> wrote: > Thanks for the update, Kathleen. > > This is truly unfortunate, and unquestionably does harm to the value and > brand of the WebTrust Seal, rather than provide value. > > On Thu, Aug 9, 2018 at 7:19 PM, Kathleen Wilson via dev-security-policy < > [email protected]> wrote: > > > All, > > > > In their effort to better protect WebTrust seals, CPA Canada has made it > > so we can no longer access WebTrust pdf files directly from the CCADB. > > > > I received the following response when inquiring about this. > > “” > > Thank you for contacting Chartered Professional Accountants of Canada. > > You can no longer link directly to PDF documents. You will need to go to > > the registered website where the seal is provided and click on the seal > to > > obtain the document (e.g. audit report). > > Also, we are now enforcing the domain requirement when a seal is opened. > > Domain enforcement is essential to the program to prevent fraudulent use. > > It ensures that the WebTrust seals will only function on the certificate > > authority’s websites. > > If a seal is opened from a non-registered domain or other source (e.g. > > email, internal lists, etc.) the seal will not load and will display a > > notice indicating that the domain is not valid. > > “” > > > > Therefore, for the foreseeable future, please do the following when > > creating an Audit Case in the CCADB for WebTrust audits. > > > > 1) Make the PDFs of the audit statements available directly on your CA's > > website. > > OR > > Upload your audit statement PDF files to Bugzilla, as described here: > > https://ccadb.org/cas/fields#uploading-documents > > > > 2) For the audit statement link in your CCADB Audit Case either provide > > the URL to the PDF on your CA's website, or use the link to the document > in > > Bugzilla. > > > > 3) Add a Audit Case Comment to indicate the URL where the WebTrust seals > > may be found on your CA’s website. > > > > 4) When you run the Audit Letter Validation (ALV), you can ignore the > > “Cleaned=Fail” ALV result. I will check the seal on your website > manually, > > and add a comment to the Audit Case. > > > > > > Also, the cert.webtrust.org audit links that are currently in the root > > cert records and the intermediate cert records in the CCADB no longer > work > > either. Fortunately we started archiving audit statements this year. So > you > > can scroll down to the “File Archive…” section of the record, and you > will > > be able to find the stored audit pdfs. > > > > Thanks, > > Kathleen > > > > > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
