An anonymous user on Stack Exchange claims s/he stumbled across a huge security vulnerability in a Certificate Authority that is trusted by all modern browsers and computers – by accident.
S/he asked a question on Stack Exchange how to report such a find and how to go about it.
An excerpt:
Specifically, I am able to get a valid signed certificate for a domain I don’t own. If I had the means to become a Man In The Middle, I would be able to present a perfectly valid ssl certificate.
This vulnerability required no SQL injections or coding on my part. I quite figuratively stumbled across it.
What is the proper way to report this? I want to be ethical and report it to the offending CA, but I also don’t want them to simply fix the vulnerability and then sweep everything under the rug. This problem seems to have been there a while, and I’m simply not smart enough to be the only one capable of finding it.
You can read the lot here.