Comodo - SSL issues

General Topics
41

You’re right. My fault. Users of Firefox 4 should do it manually.

42

Tech,
There was a whole week that no one knew (almost no one) about the issue.
You can’t protect against something you know nothing about.

43

well Google did ;D … and so did the others, but just Google issued a revocation list through an update on Chrome beta on March 15. But yeah, noone really talked.

44

SSL meltdown: a cyber war attack?
http://www.h-online.com/security/news/item/SSL-meltdown-a-cyber-war-attack-1214104.html

45

Agree.
But Microsoft knows that: they’ve changed the default on IE9 for a reason.
Google seems to knew that.
And also Comodo…
And also Mozilla does not change the default on Firefox 4…

Is anybody thinking on users?

46

http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/page2.html

The decision by Google, Microsoft, Mozilla and Comodo to keep the world in the dark for eight days comes as a slap in the face to their users.
47

1/ Comodo? Gah, no way. They only care about $$$$$$$$$ revenue, they will be happy to issue anyone with a certificate and even put that on their trusted vendors list as a bonus. Enjoy signing your malware and have it run nicely on systems “protected” by CIS.

2/ Mozilla? Nope, not really. I suspect they get money for including CAs into their browser. CACert.org - still not added despite requested and after years of users complaining. CNNIC (controlled directly by Chinese govt.) got there pretty much silently and after a huge outrage it’s still there and no action will be taken apparently. Comodo’s root certificates still there despite the previous blunder, and don’t hold your breath for them to disappear after this one either.

3/ MS? Hmmmm… $$$$$$$$$. As long as it pisses off their corporate customers, they will care. Otherwise, meh.

::slight_smile:

48

hmm… Comodo’s becoming a net celebrity ;D
http://j.mp/e4Osq0

… may be not the way they expected ???

49

anyone knows how to import a CRL in Firefox? doesn’t seem to work. There’s no prompt to navigate in Windows when attempting to import and pasting the link manually doesn’t have any effect…

ps: I know that OCSP validation + connection check is enough, but I still want to know why I cannot import a CRL…

50

It only takes URLs - try file://path/to/the/file.crl

51

oh okay thanks :wink:

edit: okay worked :wink:

52

okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars

53

Thanks Logos; very good article.

54

you’re welcome :slight_smile:

55

A very good article explaining man-in-the-middle (MITM) attack, the failure of the Certificate Authorities (CAs) model and Comodo’s colossal screw up.

The mathematics behind the authentication and encryption are pretty robust (at least given current knowledge), so those parts are reasonably safe. But an awful lot of trust is placed on those root CAs. If a root CA starts issuing certificates to people that it shouldn't—giving a hacker a certificate purporting to be [I][Mozilla, Microsoft, Google, Skype, Yahoo...][/I], say—then [b]the whole system collapses[/b]. The hacker can act as a [b]man-in-the-middle[/b] and the client's Web browser will actually trust his certificate. No warning about self-signed certificates; everything will just work as if nothing were wrong.
And that's exactly what one of the root CAs, Comodo, has done. Nine times. A user account belonging to a Comodo "Trusted Partner" based in Southern Europe was hacked, and this hacked account was used to issue nine fraudulent certificates. [...] The hacked user account has been suspended, and the company has instituted "additional audits and controls" of an entirely unspecified nature.
Further detective work by Applebaum revealed that the blacklisted certificates were issued by Salt Lake City-based Comodo reseller UserTrust.
[b]The chain of trust is broken[/b] [...] This is not the first time that a bogus certificate has been issued. Back in 2001, Verisign [...] [but] This attack was worse than those previous incidents, however. [...] A single hack of a CA, or coercion of a CA in an despotic regime, means that a malicious party can produce a certificate that essentially every device on the Internet will trust, allowing interception and eavesdropping of secure communications. [...] The current chain of trust concept is endemic, and the commercial nature of most root CAs means that they will apply pressure to keep the current system.
[b]The centralized trust model doesn't work.[/b]

Thanks Logos for finding the article.

56

Seems addons for man-in-the-middle attacks.

SSL Guard (some comments are related to lack of browsing).
Certificate Patrol.

Can people help testing them?

57

I’ll give a shot to certificate patrol, already saw it yesterday :wink:

58

For Logos:
http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html

:stuck_out_tongue:

59

okay about Certificate Patrol: on the info side it doesn’t bring anything more that what’s already available from Firefox. Otherwise, there are options that should be able, if activated, to alert you on suspicious changes.

60

;D lol yeah I know, but I don’t use Safari desktop at all, I just use the mobile version where there’s no options at all :smiley: see screen shot, add to that private data clearing, web site storage, and you’ve seen all safari settings on iPhone/iPod

edit: and no there is no security settings section in iOS