If Some Random Guy can just happen to compromise the processes described here af...

LegitShady · on Nov 18, 2021

because one initiated a marketing campaign about their security so as to get some attention and find a different vulnerability the company didn't know about.

ziddoap · on Nov 18, 2021

Publicly describing your security procedures is common (and encouraged) practice in infosec. See CloudFare, Mozilla, Google, etc. who have all publicly described various security procedures (including key signing and key management).

If you could actually do anything based on the knowledge here, you would go after a browser root cert because your hack would be exponentially more effective.

LegitShady · on Nov 18, 2021

I wouldn't do anything, but I also wouldn't do a security driven marketing campaign. If someone thinks their root cert is safe it doesn't mean there isn't some other way to get access to user credentials that could allow compromise through some other avenue.

edit since I can't reply down level further: Yes I would be very careful about security related marketing and really consider if its necessary at all.

ziddoap · on Nov 18, 2021

>it doesn't mean there isn't some other way to get access to user credentials

You can always be hacked in some other way, so I guess we should never write anything about security ever?

>edit since I can't reply down level further: Yes I would be very careful about security related marketing and really consider if its necessary at all.

Interestingly, the security people at Google, Cloudfare, Microsoft, and just about every other major tech company (and security company, certificate authority, etc.) agree that openly talking about security best practices is.. well.. A best practice. And that keeping security practices secret (obscure, you could say) benefits no one.

Not sure why you have to shoe-horn marketing in every comment, literally anything a company posts is arguably considered marketing, what's your point?