Equifax joins Comodo, apparently

Discussion in 'other security issues & news' started by Gullible Jones, Jun 25, 2010.

Thread Status:
Not open for further replies.
  1. I just got wind of a phishing site that uses HTTPS... 256 bit AES encryption, "verified" by a company called Equifax. I'll PM people the link if they ask - just remember, it IS a phishing site, and probably malware infested, so view it from a secure environment such as a live Linux CD.

    Anyway I've relayed the site to CERT. Hopefully they'll do something useful about it.
     
  2. You should know that this is a Verisign certificate and this is NOT the first time they have done this... take a look here:

    http://www.ccssforum.org/malware-certificates.php

    :)
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    And you should know Comodo has also been guilty of the same thing.

    The fact is that the entire CA model is severely broken and was just a bad idea to start with. These third party CA's can be trusted to verify the identities of the cert owners about as much as the mafia can be trusted to stop laundering money. This sort of thing is what happens when the SSL cert verification process became a for profit endeavor -- the CA's push certs out the door as fast as is possible. Perhaps the biggest problem is that any start-up company can become a CA nowadays. There are, what, several hundred root CA's out there? The whole thing is ridiculous.

    The only way to go is with a web of trust like is used with PGP. No, this isn't as convenient, but it's a hell of a lot more secure.
     
    Last edited: Jun 26, 2010
  4. Yes.

    But now you see... It's NOT just Comodo. Domain Validation Certs can NOT be verified! Hence why malware authors can buy one of these without validation. atleast with Extended Validation Certificates proper steps are taken and validation occurs.

    DV Certs need to go!!! But in the mean time, malware authors will continue to have access to such certs. The Industry needs to come to agreement to get rid of such certs!
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343

    I agree that DV certs should go, but I still think the entire SSL model is broken as explained by Matt Blaze (CS professor and expert cryptologist) in the link I posted above.

    One of the biggest problems is who watches the watchers? Since certs are a for profit business, many of these CA's push as many out the door as is possible. And who is to say that these CA's don't give out their private keys to government agencies (NSA) or criminal enterprises (who offer them a lot of bribe money), etc.? Can we really trust all of these HUNDREDS of CA's out there? I think history has proven that is a big fat NO.

    The only solution is to have a web of trust model, where domain owners create their own certs and individuals verify it themselves (and through a web of trust other people not in a position to verify it can determine for themselves the trust level of others who have verified it).

    Of course, I think another problem is too many people don't really understand what digital signatures are for. They are only there to verify that a website or piece of software belongs to the owner of the cert (or to the owner of the private key). Just because something has a signature does not mean it is trustworthy. That is a problem digital certs are not supposed to solve.
     
  6. Well now that we know this is a Industry wide problem... Which CA is showing the most responsibility and acting to clean up? Is it Verisign? Geotrust? Thawte? Godaddy?

    Nope. It's Comodo - If any malware certificate is found, Comodo is the quickest to revoke it. So they are the most responsible Certification Authority.
     
  7. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    I don't see what is so shocking about this. Digital certificates have never provided any reason to trust the entity holding the certificate, only to trust that all communications between yourself and said entity are secure.
     
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Well, sorta but not really. Digital certs are not for encryption, but are for authentication and integrity. That is, they are for verifying that a website (or software package) are not fake. You don't need a digitally signed cert for encryption.

    However, as you said, even the "real" owners of a domain or software package can be malicious. It is not the job of the digital cert to determine that. The cert's job is merely to ensure Alice that Bob really did sign a package or that she really is visiting Bob's website. It doesn't warn her if Bob's site is malicious.
     
Loading...
Thread Status:
Not open for further replies.