SSL certificate authority Comodo compromised - update your browsers!

Discussion in 'other security issues & news' started by tlu, Mar 23, 2011.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047

    Attached Files:

  3. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Very nice information there!

    I am not using their freebie but I am now downloading from the MS Download center. I wanna explain this to some friends in a simpler manner but would like to ask you guys for a some scenarios or example to further my friends understanding.

    Thanks:)
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I needed a good laugh today. Here's the official Incident Report by Comodo. Aaaand - now here is Melih's explanation of the "incident":

    Original source - Melih's blog. (Posting in full here in case it would by chance disappear there.)
     
    Last edited by a moderator: Mar 23, 2011
  5. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I got the revocation cert from the windows update site and the cert from the custom page.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    The world wouldn't be as humorous without Comodo.
     
  7. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Though updates have been released for Firefox and Internet Explorer, is there any recourse for those of us using Opera?

    Also, forgive my dire ignorance, but from what I gather of this incident, the fraudulent certificates would enable an attacker to craft a phishing page that looks legitimate by passing SSL authentication, correct? There's no threat of credential theft just from using these websites normally, yes? I'm not sure what the threat is here, beyond the ability to make very convincing phishing pages. But I don't deny I could be missing something.
     
  8. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    What should the user do to remedy the situation?
    Should it do anything with the certificates in his computer?
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    For sane browsesr which use system certificate store, a root certificates update (critical) is being pushed by MS via WU/WSUS for all (supported) operating systems. It's also fixed in latest FF versions for 3.5, 3.6 and 4.0 branches. As for Opera/Safari - I don't know what they are using. If they bundle their own certs, they need an update.

    Also, set FF to use OSCP and fail certificate validation if OSCP server cannot be contacted. (Settings - Advanced - Encryption tab - Validation button (or some such, I don't have English version at hand ATM).

    If you have had enough of Comodo's incompetence and you maintain some domain environment, I'd recommend pushing a group policy to remove any trust from Comodo's and their resellers' (AddTrust AB, The UserTrust Network) certificates.
     
  10. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    done.

    How to do that in a notebook?
    I mean, should I delete any certificate stored in my computer?
     
  11. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    if you updated your browser as you did that is it. Nothing else is required nor do you need to delete any certs
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Remove trust, not delete. Though, that's completely optional if you think it's not going to happen again and that the CRL is complete (i.e., that Comodo hasn't issued more of these fraudulent certs.) :p To do this locally, run certmgr.msc, find the certs from Comodo, AddTrust AB and The UserTrust Network, doubleclick on them, on Details tab select Edit properties and select Disable all purposes for this certificate.

    More on the phun: Web Browsers and Comodo Disclose A Successful Certificate Authority Attack, Perhaps From Iran
     
    Last edited: Mar 23, 2011
  13. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Is there anything a user can do to defend themselves if their browser of choice has not issued an update? I use Opera, and to my knowledge they have remained entirely silent on this issue.
     
  14. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Comodo guys have not heard about DNSSEC yet either :rolleyes:

    The latest from Melih - well that guy should urgently see a doctor - that is for sure.

    :argh: :rolleyes: :blink: :ninja:
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wow, interesting development.
     
  17. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
  18. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Related thread, I have suggested a topic merge, it is up to the Mods if they so choose to do so.
     
  19. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    330
    Hey, i dont' know what it is :doubt: I know ssl certificates are crypt the data and keep away thirth person. But what is this incident about? Did they inject fake certificate in google, yahoo? What is it? Please explain to me with simple words.
     
  20. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
  21. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
  22. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/page2.html

    Spot on. This secrecy only helped the fraud guys, noone else. :thumbd:
     
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    BBC News Technology

    Iran accused in 'dire' net security attack


    Hackers in Iran have been accused of trying to subvert one of the net's key security systems.

    Analysis in the wake of the thwarted attack suggests it originated and was co-ordinated via servers in Iran.

    If it had succeeded, the attackers would been able to pass themselves off as web giants Google, Yahoo, Skype, Mozilla and Microsoft.

    The impersonation would have let attackers trick web users into thinking they were accessing the real service.

    Fake identity

    The attack was mounted on the widely used online security system known as the Secure Sockets Layer or SSL.

    Full story here:

    http://www.bbc.co.uk/news/technology-12847072
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    To be candid with this thread I have NEVER given any time or effort to SSL certificate authorities. :oops:

    So scanning this thread I decided to look at my FF certificate tab. I was amazed to see so many! :eek:

    See attached image.

    Now that I have seen these how do I know if they are good bad or passive?

    What do I do as a user?
     

    Attached Files:

  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have not yet read all the story. I need to read and understand a lot as I have very little idea of all this certificate stuff.

    My questions:

    1- What an average person/ user should be advised to do? What i should tell a typical user running windows, linux or OSX with default settings?

    2- What about windows systems which are not being updated by their users?

    Thnaks for any replies.
     
Loading...
Thread Status:
Not open for further replies.