Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to submit WebTrust audits in CCADB
180 views
Skip to first unread message
Kathleen Wilson
Aug 9, 2018, 7:19:25 PM8/9/18
to mozilla-dev-s...@lists.mozilla.org
All,
In their effort to better protect WebTrust seals, CPA Canada has made it
so we can no longer access WebTrust pdf files directly from the CCADB.
I received the following response when inquiring about this.
“”
Thank you for contacting Chartered Professional Accountants of Canada.
You can no longer link directly to PDF documents. You will need to go to
the registered website where the seal is provided and click on the seal
to obtain the document (e.g. audit report).
Also, we are now enforcing the domain requirement when a seal is opened.
Domain enforcement is essential to the program to prevent fraudulent
use. It ensures that the WebTrust seals will only function on the
certificate authority’s websites.
If a seal is opened from a non-registered domain or other source (e.g.
email, internal lists, etc.) the seal will not load and will display a
notice indicating that the domain is not valid.
“”
Therefore, for the foreseeable future, please do the following when
creating an Audit Case in the CCADB for WebTrust audits.
1) Make the PDFs of the audit statements available directly on your CA's
website.
OR
Upload your audit statement PDF files to Bugzilla, as described here:
https://ccadb.org/cas/fields#uploading-documents
2) For the audit statement link in your CCADB Audit Case either provide
the URL to the PDF on your CA's website, or use the link to the document
in Bugzilla.
3) Add a Audit Case Comment to indicate the URL where the WebTrust seals
may be found on your CA’s website.
4) When you run the Audit Letter Validation (ALV), you can ignore the
“Cleaned=Fail” ALV result. I will check the seal on your website
manually, and add a comment to the Audit Case.
Also, the cert.webtrust.org audit links that are currently in the root
cert records and the intermediate cert records in the CCADB no longer
work either. Fortunately we started archiving audit statements this
year. So you can scroll down to the “File Archive…” section of the
record, and you will be able to find the stored audit pdfs.
Thanks,
Kathleen
In their effort to better protect WebTrust seals, CPA Canada has made it
so we can no longer access WebTrust pdf files directly from the CCADB.
I received the following response when inquiring about this.
“”
Thank you for contacting Chartered Professional Accountants of Canada.
You can no longer link directly to PDF documents. You will need to go to
the registered website where the seal is provided and click on the seal
to obtain the document (e.g. audit report).
Also, we are now enforcing the domain requirement when a seal is opened.
Domain enforcement is essential to the program to prevent fraudulent
use. It ensures that the WebTrust seals will only function on the
certificate authority’s websites.
If a seal is opened from a non-registered domain or other source (e.g.
email, internal lists, etc.) the seal will not load and will display a
notice indicating that the domain is not valid.
“”
Therefore, for the foreseeable future, please do the following when
creating an Audit Case in the CCADB for WebTrust audits.
1) Make the PDFs of the audit statements available directly on your CA's
website.
OR
Upload your audit statement PDF files to Bugzilla, as described here:
https://ccadb.org/cas/fields#uploading-documents
2) For the audit statement link in your CCADB Audit Case either provide
the URL to the PDF on your CA's website, or use the link to the document
in Bugzilla.
3) Add a Audit Case Comment to indicate the URL where the WebTrust seals
may be found on your CA’s website.
4) When you run the Audit Letter Validation (ALV), you can ignore the
“Cleaned=Fail” ALV result. I will check the seal on your website
manually, and add a comment to the Audit Case.
Also, the cert.webtrust.org audit links that are currently in the root
cert records and the intermediate cert records in the CCADB no longer
work either. Fortunately we started archiving audit statements this
year. So you can scroll down to the “File Archive…” section of the
record, and you will be able to find the stored audit pdfs.
Thanks,
Kathleen
Ryan Sleevi
Aug 9, 2018, 7:47:58 PM8/9/18
to Kathleen Wilson, mozilla-dev-security-policy
Thanks for the update, Kathleen.
This is truly unfortunate, and unquestionably does harm to the value and
brand of the WebTrust Seal, rather than provide value.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
This is truly unfortunate, and unquestionably does harm to the value and
brand of the WebTrust Seal, rather than provide value.
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Wayne Thayer
Aug 9, 2018, 7:55:54 PM8/9/18
to Ryan Sleevi, Kathleen Wilson, mozilla-dev-security-policy
I don't think I'm giving away any big secret by revealing that the seal
website is just doing an http_referer check. If you are blocked when trying
to access an audit report on cert.webtrust.org, just set the referer to the
CA's domain name and refresh. You can do this with any number of Firefox
extensions, such as Referer Control (
https://addons.mozilla.org/en-US/firefox/addon/referercontrol/).
Now if only it were that easy to access prior period reports...
website is just doing an http_referer check. If you are blocked when trying
to access an audit report on cert.webtrust.org, just set the referer to the
CA's domain name and refresh. You can do this with any number of Firefox
extensions, such as Referer Control (
https://addons.mozilla.org/en-US/firefox/addon/referercontrol/).
Now if only it were that easy to access prior period reports...
jomo
Aug 9, 2018, 8:05:40 PM8/9/18
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
I contacted CPA Canada in early 2017 about XSS and some other issues on
cert.webtrust.org.
They did not fix the issues but stated:
> CPA Canada is currently working on upgrading the WebTrust site to
> enhance the security.
As of April 2018 the issues were still unfixed. I wonder if the limited
access is part of those security "enhancements"?
PS: This change also breaks "legitimate" WebTrust Seal links when either
the website or the web browser is configured to not send the "Referer"
header.
jomo
cert.webtrust.org.
They did not fix the issues but stated:
> CPA Canada is currently working on upgrading the WebTrust site to
> enhance the security.
As of April 2018 the issues were still unfixed. I wonder if the limited
access is part of those security "enhancements"?
PS: This change also breaks "legitimate" WebTrust Seal links when either
the website or the web browser is configured to not send the "Referer"
header.
jomo
0 new messages