Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
CrimsonRain 3 days ago

I guess they can check logs and find how many times this has been abused already? Can we trust them to release full transparent report?

bawolff 3 days ago | parent | next [-]

> Can we trust them to release full transparent report?

Generally browser vendors take a pretty dim view of CA's not being transparent when bad things happen. Given the seriousness of this issue,i suspect being aggressively transparent is their only hope of saving their business.

thenickdude a day ago | parent | prev | next [-]

They've released their report now, 10 further certificates were mis-issued:

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

toast0 3 days ago | parent | prev | next [-]

I would expect them to be able to report on certificates issued based on this validation method. That's a basic CA capability and other CA incidents often include these kinds of reports.

Depending on what was logged during the validation, it might be tricky to determine if it was abuse or not. If the DNS content wasn't logged, they could pull a live record and report if the current record would support validation or not.

My guess is that use of this method should be low... If you're updating DNS to add a TXT record, you might be more likely to add a direct verification value rather than an email. But that's speculative; I'm not a CA, I've just been a customer of several... IIRC, I've validated domain control by controlling postmaster@ (or the whois address when that was public) or adding direct TXT verification records or ACME http validations.

agwa 3 days ago | parent | next [-]

This method may be more popular than you'd think, since it only requires the TXT record to be published once, whereas using the DNS method requires periodically updating the DNS record. Yes, that can be automated or delegated, but for a legacy/manual/dysfunctional organization, email to TXT record contact is an easy alternative to the now-banned email to WHOIS contact method that they were likely using previously.

thayne 3 days ago | parent | prev [-]

You could at least narrow it down to certs with multiple domains, since it sounds like the email domain was added as an additional domain.

thayne 3 days ago | parent | prev | next [-]

All such certs should be in transparancy logs, so I think it should be possible for a third party to verify.

agwa 3 days ago | parent [-]

Random third parties can't verify if domain validation was performed properly; only the domain owner knows. Which is why domain owners should monitor Certificate Transparency logs: https://certificate.transparency.dev/monitors/

aaomidi 3 days ago | parent | prev | next [-]

They will need to most likely do a full mass revocation at this point.

gruez 3 days ago | parent | prev [-]

>We will provide a preliminary report on or before 2025-04-21.