From owner-freebsd-security@freebsd.org Wed Sep 28 06:40:43 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B89A7BEC82F for ; Wed, 28 Sep 2016 06:40:43 +0000 (UTC) (envelope-from nzp@riseup.net) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A26F2E80; Wed, 28 Sep 2016 06:40:43 +0000 (UTC) (envelope-from nzp@riseup.net) Received: from cotinga.riseup.net (unknown [10.0.1.164]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id F2B481A051D; Wed, 28 Sep 2016 06:40:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1475044836; bh=VNSnIbIlorL2+sV+59psgDxYjp35rQTVkHEXVT9jrM4=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=EeFgxi0HcOCOqnUMqk3CsbwhLZW0ufrOKwXcX4Rrm69ppyHAFXbPy1q6BwLc9NNoA V4GbiKir9IzDl7kXHIJNAcYRG6TfGZ4gZwQSDRmL/Ik3JklXHw9F3alkx/tvmq5crN My321tj/JFbyvBcQSAmPcw8Axpfvf69NewuYG+JQ= Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: nzp) with ESMTPSA id 3BE07400A8 Date: Wed, 28 Sep 2016 08:40:27 +0200 From: Nikola =?UTF-8?B?UGF2bG92acSH?= To: Matthew Seaman Cc: freebsd-security@freebsd.org Subject: Re: Two Dumb Questions Message-ID: <20160928084027.20ca33f2@riseup.net> In-Reply-To: <74ed7019-cb87-c55a-fb6d-1c016bf04d59@FreeBSD.org> References: <32084.1474872154@segfault.tristatelogic.com> <74ed7019-cb87-c55a-fb6d-1c016bf04d59@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2016 06:40:43 -0000 On Mon, 26 Sep 2016 10:31:02 +0200 Matthew Seaman wrote: [...] > > > > https://censys.io/ > > [...] > > Hmmm... their TLS certificate is issued by 'StartCom Class 1 DV Server > CA' This is a CA that prominently advertizes free SSL certificates, > but otherwise looks like it charges just like any other CA. > See: http://www.startssl.com/ No idea if this CA is any good but > there's nothing to suggest any wrong doing just from their site. Just an FYI regarding StartCom: Mozilla is suspending their CA for one year (and quite likely forever, it's unlikely they'll be able to meet the requirements for reactivation). Lots more info here in Mozilla's investigation report: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview -- PGP: 28CC 9078 8358 CE2D 6824 A5BC 2DB2 CD24 5BE7 8F06