SSL certificate authority Comodo compromised - update your browsers!

https://wiki.mozilla.org/CA:Comodo_Misissuance_Response

 

If you were replying to me (which I'm not sure if you were), that doesn't show anything about if it were only Comodo's fault, or if the same problem could happen to other CAs.

 

No, why?

No comment wrt the rest of your post.

 

Incidents like this are good because they make us re-evaluate poor techniques with little loss. We don't always have to wait for a disaster to re-evaluate something, as shown by Mozilla's and Tor's blogs.

 

I just wasn't sure. Sometimes people reply without quoting.

 

True, but people have been saying for years how the whole PKI infrastructure needs to be scrapped. The CA's don't care as they only want to sell certs. I saw where some researchers had actually obtained an EV cert by merely providing an e-mail address and responding through that e-mail. So much for "extended validation."

I like the idea of TOFU (trust-on-first-use). Perspectives is nice also. Or we could go with a PGP-style WoT model. There are several models in the works which are much better than the current clusterf*ck we have now with over 600 root authorities some of whom are ran by rogue governments or sloppy corporations like Comodo. There is a talk on YT that is interesting and worth watching -- it discusses how awful the system is.

 

It looks like it was the RA who was sloppy? At least Comodo responded to the problem...

I agree with the rest of what you said.

 

The problems with this whole fiasco, are the number of unknowns:

1. The attack allegedly was against a company based in Southern Europe, but the certificate requests were allegedly issued/signed off by Comodo reseller based in Salt Lake City - Why?

2. Comodo say nine certificates were requested, but can only verify one was received - Why?

3. The announcement from Google arrived on 17th March and said:

Considering the allegedly severity of the problem, this announcement seems a little underwhelming - Why?

Mozilla, as far as I know, didn't announce anything publicly until the 22nd March, they did, however, issue two bugs to address the issue on the 17th and 18th of March - Why?

As far as I'm Aware, Microsoft and Comodo didn't announce anything publicly, until the 23rd of March -Why?

As noted by virtually every commentator on the subject, this was a serious attack. So why did the big three browsers and Comodo wait several days to make announcements, even though Google and Mozilla both patched theor browsers immediately?

There's more happening here than has been released. It's possible it may because of investigative work by whichever intelligence agencies are involved...

 

It's not that easy. A nice article covering this issue can be found here.

 

Well, it is perfectly easy for me. Any CA under direct control of Chinese government should not make it info default store of trusted root CAs, the less sneaking in without any proper previous discussion.

Those folks in Mozilla certainly must be very high. Are they assuming people will post hard evidence against the Chinese regime in public bugtracker which they mostly cannot reach via encrypted connection or are being snooped on (courtesy of CNNIC) is just totally crazy. Those people are plain unable to imagine how does living under such regime look like and know plain s**t about such things.

 

But the point is that there is no evidence that they did something that violated their role as a CA. Compare it with the Verisign example mentioned in the article - they did something that they shouldn't have done but it didn't have anything to do with their role as a CA. I can understand that you don't like CNNIC but removing it would be a political decision - and I don't think that it's Mozilla's business to make political decisions. There are other certificates issued by CAs which are obviously or presumably controlled by governments (which might not always adhere to democratic standards) or which are "seemingly obscure organizations" (as the article put it) - where would you draw the line? No, it's not a "perfectly easy" decision, IMO.

 

Oh, the role of the CA is to issue government with whatever certificates it needs? Because that is exactly what is happening, no matter how much Mozilla blurbs about lack of evidence. You know, collecting such evidence is rather dangerous, if you find yourself in the country, best case you end up in jail. If you find yourself outside of the country, the entire family of yours gets into even more trouble than it was in before you emigrated.

And no, we are not talking removal, we are talking about adding the junk in the first place. You are not obliged to add any such stuff, noone can force you. The strategy - get money and sneak it in secretly so that as few people as possible notice. And then when people notice and the outrage starts, you go and start with this policy and lack of evidence corporate blurb so that you do not need to take any action.

Well, I do not see further discussion here to be productive here. Mozilla -> FAIL.

 

How the Comodo certificate fraud calls CA trust into question

Article

 

How about the Japanese Government, or the Taiwanese Government, they're both in there too!

Seriously, it's a little naive to start picking out particular Mozilla faults, when any one of the others could be masquerading as the US(insert any here) Government.

SSL/TLS is broken, has been for a long time.

 

Comodo Certificate Issue – Follow Up

http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

 

(via Heise Security)

Translation: Having a reseller account with Comodo, anyone can take over a domain of their choice merely by using the API instead of the WebGUI.


A hacker's claim of responsibility

 

I was just about to post this. It sounds legit to me. It is even worse than I thought -- being able to sign certs by merely breaking the website is downright shameful. What a joke for security.

 

How the Comodo certificate fraud calls CA trust into question

More at: Link

 

While this could be true, I'm hesitant to believe some random programmer on PasteBin.

 

Hello siljaline:

I read your links with interest and concern.

Now I want to ask you some very simple questions easy to ask but not so simple maybe to answer.

1) I have attached ( I hope) a some jpg images from my FF 4 list of CA's. How do I know are they safe? Should I can I delete any that I don't like the source?

2) How do I remove them all and replace them with a small set of safe ones? Some say built in? What is that about?

 

Single hacker claims responsibility for Comodo certificate theft

Errata Security: The Comodo hacker releases his manifesto

 

http://www.telegraph.co.uk/technology/news/8411252/Iranian-hacker-claims-revenge-for-Stuxnet.html

 

https://bugzilla.mozilla.org/show_bug.cgi?id=642395#c87

 

Comodo Inspires No Confidence as Hacker Compromises Two More Accounts & Page 2

Users of older Firefox versions should update the browser ASAP, otherwise when they're trying to access AMO(-addons.mozilla.org) to install an add-on their browser is vulnerable to MITM attacks.