On 01/03/2009 06:16 PM, Ben Bucksch:
Yes, that is (just?) a bug. It does mean that a developer didn't think correctly - it's a general rule in security to validate all input, distrust all other parties, and this was not done here.
Correct. Actually it was done, but something in the verification wasn't done correctly. It was simply a bug as it indeed can happen.
I'd check similar code near there, and the other code of that developer, but IIRC you wrote that you did that at least to some degree and rectified other potential problems.
Also correct. Any potential source of input was reviewed and corrected where needed.
I was already scared that you let the user's browser do the domain validation, and let the browser report "yes, the verification passed", or something like that.
LOL
Yes, that would have been incredibily stupid, but given what we learned recently about some other CAs... This bug is not too far from that, but at least not that obviously stupid, it can really have been just an oversight of the developer in question, and his reviewer.
Nono...it's very far from that, Ben. With certstar there were no validations at all. It didn't exist. That's a far cry from a bug in the post response verification. More than that, the other layers of defense did exactly what they were supposed to do. The staff has reacted incredible fast and awareness high as well. Minutes from the failed attempt to receive a certificate for verisign.com the "attacker" was banned from the StartCom network and issuance of the high-profile certificate prevented in first place.
Flaws and even human error can happen - I'm certain that ours wouldn't be a first even if we don't know about it. But comparing this to non-existent validation and non-existent control over the third party who's supposed to validate doesn't cut really.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
