mozilla :: #security

17 Mar 2017
07:46huzaifasabillings: or dveditz can i get a cc on https://bugzilla.mozilla.org/show_bug.cgi?id=1348168 please
07:46firebotBug 1348168 is not accessible
12:48ulfrjcj: and here's a list of sites that were seen having a trusted sha1 cert over the last month https://gist.githubusercontent.com/jvehent/c9da781047f259c800e33ffd3759acaf/raw/22a6e714dbf56782c00c431ed5b60f08b935ff52/trusted_sha1.sql
12:48ulfrI imagine some of them have updated to sha256 since
12:58ulfrthis one wins all: www.veoh.com
12:58ulfr6 years SHA1 cert, ssl3/tls1 only, null-md5 ciphersuite, dh-512 and some rc4 for good measure
12:59ulfrhttps://tls-observatory.services.mozilla.com/static/certsplainer.html?id=2982496
15:27jcjulfr: that's awesome, ha ha :D
15:28ulfrI need to make a museum of tls horrors
17:45genejgmize: hate to bother you again. Any chance you could copy paste these commands sometime today? https://bugzilla.mozilla.org/show_bug.cgi?id=1232088#c11
17:45firebotBug 1232088 REOPENED, bsternthal@mozilla.com Request for Engagement to update Infosec security auditing IAM Role and enable CloudTrail
17:45jgmizegene: looking now
17:45genejgmize: thank you =)
17:50kangulfr: waiting for sha256 to be weakened so that we can deprecate it in favor of sha-512, so that we can do this again with whatever is next =)
18:00jgmizegene: I've run the commands and there was no output; do you want me to write a script to list all the stacks in all the regions, or would you prefer to verify things on your side?
18:01geneNo need, I'll verify on my side, thank you for running them! No output is a good sign
18 Mar 2017
No messages
   
Last message: 6 days and 13 hours ago