SSL certificate authority Comodo compromised - update your browsers!

Discussion in 'other security issues & news' started by tlu, Mar 23, 2011.

Thread Status:
Not open for further replies.
  1. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    I follow Escalader and aigle.
    What should the user do? o_O
     
  2. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    The average non-windows user should simply update firefox if they use it, other browsers don't need updated.

    The average windows user is perfectly safe, using IE is perfectly safe. If you wish to completely block the bad certificates you can get the latest windows update.
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, at minimum I would recommend to disable CNNIC. Mozilla simply fails here. Be it Comodo or this incident. They plain refuse to do any action. Money >> users security. :mad:

    https://bugzilla.mozilla.org/show_bug.cgi?id=476766
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

    The whole concept is simply flawed. They bug users with uberannoying warning about self-signed certs, but in fact they are no worse that this "trusted" third-party stuff.


    Sadly, this is not the case neither with IE8, nor with FF (incl. v4). The OSCP default settings are broken there, the certificate is not treated as invalid when OSCP servers cannot be contacted.

    And on the conspiracy note:

    BBC News: Iran accused in 'dire' net security attack
    No reason to believe Comodo attack came from Iran

    Bingo. Exactly what Chine has done with CNNIC.

    Oh, and Melih's response?

    Ashamed. Yeah, you'd better be, Mr. "entrepreneur of the year". :rolleyes: :thumbd:

    Computerworld: Delay in disclosing SSL theft put Iranian activists at risk, says researcher

     
    Last edited: Mar 25, 2011
  4. tlu

    tlu Guest

    Wrong. Chrome had released an update last week to address the issue. And Opera and Safari are also affected, of course. I don't know if they have released updates, too.

    No, it isn't if you don't apply the update according to http://www.microsoft.com/technet/security/advisory/2524375.mspx (which is done via Windows Updates if automatic updates are enabled).
     
  5. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    What's the matter with Mozilla company?
    Others said they're money driven, but who's giving them the money?
    Won't they think in the users?
     
  6. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    A very good article explaining man-in-the-middle (MITM) attack, the failure of the Certificate Authorities (CAs) model and Comodo's colossal screw up.

     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    The whole model looks really rubbish to me. Any one with enough sources/ powers esp a gov can break it and can do a lot before it becomes open to the public.

    There is a need that experts think about a new or modified modelIMO
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    tlu, what about the ssl blacklist plugin for Firefox http://codefromthe70s.org/sslblacklist.aspx

    Does it still serve a pupose ?
     
  9. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    It's from 2008... Seems very outdated to be used as a security tool. Also, if it was a pot of gold, why do we never heard about it? o_O
     
  10. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Well, that's why I am asking you guys whether it still has relevance. BTW my add-on was updated 31 Jan 2010.

    linux:-
    =quote from site.
     
  11. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,052
    Location:
    Texas
    http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

     
  14. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Certificates are not really used just by browser. Also note, that the OSCP thing is disabled by default in IE8 and esentially useless with default FF settings, as it ignores OSCP failure.
     
  16. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    IE must be updated to IE9. There are tons of older IE versions users.
    Firefox (even on version 4) requires manual intervention.
    Google Chrome added a lot of certificates as fraudulent.
     

    Attached Files:

  17. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Opera devs insist that their browser is safe without needing an update. I've yet to test what they claim, particularly in light of what was published on the Tor Project Blog regarding how easily OCSP is defeated, but they could be 100% right for all I know. For the Opera comment, see here.
     
  18. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    What needs to be done? I was of the understanding yesterday that upgrading to 4 was enough. o_O
     
  19. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    At minimum fix the OSCP settings on the Advanced tab - Certificates. Otherwise, revoked certificates will be "conveniently" ignored if FF cannot connect to the OSCP server.


    This one looks good.
     
    Last edited: Mar 25, 2011
  20. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
  21. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Not compatible with Firefox 4.

    Hmmm... Not sure if it is really working.
     
  22. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    On a related note, IE9 is sadly missing HSTS support which has been added to FF 4.0

     
  23. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

    Ouch :rolleyes: but we already know MS's stance on implementing draft proposals such as webworkers, I doubt that will ever change.

    Is it worth implementing it considering the disadvantages, and also considering the fact that it is hard for a user to overwrite a blocked page? Average Joe wont figure it out.
     
  24. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
  25. LaserWraith

    LaserWraith Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    38
    Location:
    Under your bed!
    +1 Thanks.


    I have a question: Many of you guys are laughing at Comodo, and acting as if they were the only problem. But couldn't this just as easily happen to another CA?

    Could another CA have issued certificates to "bad guys" (by mistake), and no one would know?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.