[mixedbit]

> The Mozilla CA policy does not include a provision for obvious trolling and posturing.

This isn't really trolling, after Heartbleed we should consider all SSL certs used by OpenSSL based servers as compromised. This sites just tries to make the point more obvious by putting such compromised cert in public view.

[vilda]

Have you realized that not only OpenSSL, but any exploitable bug in any software that runs on servers (PHP, Apache, nginx, Linux, etc) should theoretically invalidate any certificate that is stored on those servers?

[mixedbit]

Any exploitable bug that allows to access private keys should invalidate certificates. There are many security vulnerabilities that don't give access to private keys.

[Pacabel]

Even if there's no publically-known way of using a particular security vulnerability to get access to private keys, how are we to be sure that somebody (perhaps malicious) didn't find a way and are just keeping it a secret?

[mixedbit]

If you understand a vulnerability, you can often tell for sure if it can lead to exposure of private keys. For example if a PHP app runs in a separate process with separate user credentials than nginx SSL endpoint, and if file access control flags for certificates are configured correctly, you can tell for sure that php bug alone won't allow for certificates access. This of course assumes that other components work correctly (like Linux access control mechanism), but without such assumptions you wouldn't be able to do anything productive.