Currently, when you click on a CRL link like this: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl Firefox automatically passes the CRL to NSS, which imports it with no way to cancel. You then get asked whether to enable auto-update or not. This means the CRL import code is part of our web-facing attack surface, and I suggest it should be fuzz-tested. Gerv
You need to log in before you can comment on or make changes to this bug.