SSL certificate authority Comodo compromised - update your browsers!

I follow Escalader and aigle.
What should the user do?

 

The average non-windows user should simply update firefox if they use it, other browsers don't need updated.

The average windows user is perfectly safe, using IE is perfectly safe. If you wish to completely block the bad certificates you can get the latest windows update.

 

Well, at minimum I would recommend to disable CNNIC. Mozilla simply fails here. Be it Comodo or this incident. They plain refuse to do any action. Money >> users security.

https://bugzilla.mozilla.org/show_bug.cgi?id=476766
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

The whole concept is simply flawed. They bug users with uberannoying warning about self-signed certs, but in fact they are no worse that this "trusted" third-party stuff.

Sadly, this is not the case neither with IE8, nor with FF (incl. v4). The OSCP default settings are broken there, the certificate is not treated as invalid when OSCP servers cannot be contacted.

And on the conspiracy note:

BBC News: Iran accused in 'dire' net security attack
No reason to believe Comodo attack came from Iran

Bingo. Exactly what Chine has done with CNNIC.

Oh, and Melih's response?

Ashamed. Yeah, you'd better be, Mr. "entrepreneur of the year".

Computerworld: Delay in disclosing SSL theft put Iranian activists at risk, says researcher

 

Wrong. Chrome had released an update last week to address the issue. And Opera and Safari are also affected, of course. I don't know if they have released updates, too.

No, it isn't if you don't apply the update according to http://www.microsoft.com/technet/security/advisory/2524375.mspx (which is done via Windows Updates if automatic updates are enabled).

 

What's the matter with Mozilla company?
Others said they're money driven, but who's giving them the money?
Won't they think in the users?

 

A very good article explaining man-in-the-middle (MITM) attack, the failure of the Certificate Authorities (CAs) model and Comodo's colossal screw up.

 

The whole model looks really rubbish to me. Any one with enough sources/ powers esp a gov can break it and can do a lot before it becomes open to the public.

There is a need that experts think about a new or modified modelIMO

 

tlu, what about the ssl blacklist plugin for Firefox http://codefromthe70s.org/sslblacklist.aspx

Does it still serve a pupose ?

 

It's from 2008... Seems very outdated to be used as a security tool. Also, if it was a pot of gold, why do we never heard about it?

 

Well, that's why I am asking you guys whether it still has relevance. BTW my add-on was updated 31 Jan 2010.

linux:-

=quote from site.

 

Seems addons for man-in-the-middle attacks.

https://addons.mozilla.org/en-US/firefox/addon/sslguard/ (some comments are related to lack of browsing).
https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

 

http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

 

No, it isn't. If your browser supports OCSP, you don't "need" that update whatsoever.

 

Certificates are not really used just by browser. Also note, that the OSCP thing is disabled by default in IE8 and esentially useless with default FF settings, as it ignores OSCP failure.

 

IE must be updated to IE9. There are tons of older IE versions users.
Firefox (even on version 4) requires manual intervention.
Google Chrome added a lot of certificates as fraudulent.

 

Opera devs insist that their browser is safe without needing an update. I've yet to test what they claim, particularly in light of what was published on the Tor Project Blog regarding how easily OCSP is defeated, but they could be 100% right for all I know. For the Opera comment, see here.

 

What needs to be done? I was of the understanding yesterday that upgrading to 4 was enough.

 

At minimum fix the OSCP settings on the Advanced tab - Certificates. Otherwise, revoked certificates will be "conveniently" ignored if FF cannot connect to the OSCP server.

This one looks good.

 

Difficult to say in English... Will try to find a link for it...
Found!
http://nakedsecurity.sophos.com/201...by-comodo-is-it-time-to-rethink-who-we-trust/

 

Not compatible with Firefox 4.

Hmmm... Not sure if it is really working.

 

On a related note, IE9 is sadly missing HSTS support which has been added to FF 4.0

 

http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

Ouch but we already know MS's stance on implementing draft proposals such as webworkers, I doubt that will ever change.

Is it worth implementing it considering the disadvantages, and also considering the fact that it is hard for a user to overwrite a blocked page? Average Joe wont figure it out.

 

A very good and serene reading about what happened, the Comodo and Mozilla actions.
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

 

+1 Thanks.


I have a question: Many of you guys are laughing at Comodo, and acting as if they were the only problem. But couldn't this just as easily happen to another CA?

Could another CA have issued certificates to "bad guys" (by mistake), and no one would know?