Avast WEBforum
Other => General Topics => Topic started by: Asyn on March 23, 2011, 10:35:02 PM
-
Continued from 'Technical': http://forum.avast.com/index.php?topic=66267.msg617097#msg617097
Feel free to add your opinion.
asyn
Edit: doktornotor's thread is online again...
https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-certificates-incl-mozilla-once-again-t70973.0.html
-
Posted in Wilders: http://www.wilderssecurity.com/showthread.php?p=1847026#post1847026
-
@doc: You thread @comodo has been restored. ;) (Thanks Bob..!!!)
https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-google-microsoft-mozilla-skype-yahoo-certificates-t70990.0.html;msg504253#msg504253
All
My mistake, I'd forgotten that the Forum Policy Violation Board is no longer visible and what I had done was not transparent.
The original topic has been restored, less the offending posts.
Comodo issues fraudulent Google, Microsoft, Mozilla, Skype, Yahoo certificates
Sal: Thanks, I should had thought of that sooner. Smiley
-
this is all new to me, thanks guys ;D
-
@doc: You thread @comodo has been restored. ;) (Thanks Bob..!!!)
Haha... not my account though.
@mods: Would be nice to split the stuff from the original thread and move it here.
-
this added to the (unrelated) RSA affair... wonderful times :D
http://www.scmagazineuk.com/the-impact-of-the-rsa-token-data-breach-is-still-undetermined/article/198935/
edit: I started a thread about it a few days ago, thanks for the feedback there btw guys ::)
http://forum.avast.com/index.php?topic=74077.msg614434#msg614434
-
Haha... not my account though.
No..?? Did they ban you and leave your account running, or what..??
https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-certificates-incl-mozilla-once-again-t70973.0.html
-
No..?? Did they ban you and leave your account running, or what..??
See below. (No, I don't need the account back, haven't been there for like 2 years).
-
edit: I started a thread about it a few days ago, thanks for the feedback there btw guys ::)
http://forum.avast.com/index.php?topic=74077.msg614434#msg614434
Well, I linked to your thread, but you didn't even notice. ;)
http://forum.avast.com/index.php?topic=52252.msg614616#msg614616
-
@Asyn okay ;)
Hmm guys... I see a major problem here, the "other" doctornotor is saying that FF4 RC2 was justified to block fraulent certificates. Fair enough... but FF has its own certificate store while Chrome is using Windows/IE store... and as far as I'm concerned unless MS sends an update through Windows Update IE8/9 and Chrome are vulnerable. Got to say that the ZDnet article is ...hmm... worrying
http://www.zdnet.com/blog/security/microsoft-warns-fraudulent-digital-certificates-issued-for-high-value-websites/8488?tag=nl.e589
ps: lol, funny I updated to RC2 a few days ago and the only thing I found was that Mozilla corrected a last minute bug... but the article didn't say what... I didn't really care and should have searched other places...
-
Hmm guys... I see a major problem here, the "other" doctornotor is saying that FF4 RC2 was justified to block fraulent certificates. Fair enough... but FF has its own certificate store while Chrome is using Windows/IE store... and as far as I'm concerned unless MS sends an update through Windows Update IE8/9 and Chrome are vulnerable. Got to say that the ZDnet article is ...hmm... worrying
Already out as critical update on WU and WSUS. Also manual d/l via http://support.microsoft.com/kb/2524375 (from XP up to Server 2008 R2)
P.S. IE and Chrome is doing it the right way (TM) - bundling its own certificates crap is plain wrong, and nightmare to manage in business environment.
-
yeah I just saw that in the article:
Microsoft has pushed out an update for all supported versions of Windows to help address this issue and notes that no action is required from Windows users with automatic update enabled. The company’s advisory contains instructions on manually applying the update.
edit: KB2524375 (W7/64) already available directly from Windows update.
-
Apparently the morons @ Comodo have not heard about DNSSEC yet either (https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-google-microsoft-mozilla-skype-yahoo-certificates-t70973.0.html;msg504330#msg504330); ugh. ::)
If there was a secure and trusted DNS this issue would be a moot point! We need a Secure and Trusted DNS!
Now we are living in a new era where people who provide Authentication to end users are target for State-funded entities! Its a new era indeed.....brace yourselves....
Melih
:-X ::)
-
lol... the guy feels guilty ;D now he's trying to put the weight on DNS servers shoulders ::) same old Melih...
-
Seems, they're searchin for flimsy excuses. ;)
-
lol on a side note, I don't think anything worse could happen to Comodo. Officially they got screwed themselves (stolen credentials of an Comodo ssl cert provider)... now we don't know and we might never know how it happened...
-
For the ones who do not know what could happen:
These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
-
Update your Windows!
Or http://www.microsoft.com/technet/security/advisory/2524375.mspx
-
Thanks, Tech.
Everyone, who answered here is aware of the risks. ;)
Still, if other users should follow this thread, it won't hurt to offer some basic feedback.
-
Hi guys, as I don't want this thread to become a discussion thread. ;)
Please post further replies to the Comodo issue here: http://forum.avast.com/index.php?topic=74516.0
Thanks,
asyn
Edit: Or follow Tech's link to WSF... (Thanks Tech..!!)
It would be a lot nicer to do it directly on the Comodo forum (https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-certificates-incl-mozilla-once-again-t70973.0.html). :0
-
apparently Google reacted already a week ago ??? (meaning they can act without waiting for a Win Update)... and the issue was already known.
The Chrome Stable and Beta channels have been updated to 10.0.648.151 for Windows, Mac, Linux and Chrome Frame. This release blacklists a small number of HTTPS certificates. If you find new issues, please let us know by filing a bug. Want to change to another Chrome release channel?
not sure if that's related to what's being discussed here but according to an article I just read (Heise I think...) that is related.
http://www.h-online.com/security/news/item/SSL-meltdown-forces-browser-developers-to-update-1213358.html
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_17.html
... also just what I was thinking a few minutes ago (about Apple)
The update policies of Opera and Apple currently remain unknown
-
As SSL Certification is the core of Comodo security... This is a knock out, isn't it?
Edited: Bad English :P
-
... also just what I was thinking a few minutes ago (about Apple)
The update policies of Opera and Apple currently remain unknown
Opera has had OSCP enabled for quite a while. As for Safari - who cares (TM) :P
-
This is a knock down, isn't it?
It sure is. ;D
-
... also just what I was thinking a few minutes ago (about Apple)
The update policies of Opera and Apple currently remain unknown
Opera has had OSCP enabled for quite a while. As for Safari - who cares (TM) :P
well excuse me but I do care, check my sig ::)
ps: I hate Safari, but there's no serious alternative on iDevices.
-
well excuse me but I do care, check my sig ::)
You mean the "Alliance for the Promotion of Avast Native Orange Skin"? :D ;D
-
well excuse me but I do care, check my sig ::)
You mean the "Alliance for the Promotion of Avast Native Orange Skin"? :D ;D
yes ;D
-
I see Safari desktop has OCSP checking available - must be manually activated - but I have no idea if Safari iOs does... the settings interface for Safari is so poor on iOS that it's impossible to find out. I guess some jailbreaking geeks should know that ;D
-
http://www.h-online.com/security/news/item/Worth-Reading-Certificate-Request-Ask-Later-814307.html
-
'Iranian' attackers forge Google's Gmail credentials'
http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/
so this actually started on March 15, meaning that Google was the first and only one to react at the time.
-
SOPHOS: Fraudulent certificates issued by Comodo, is it time to rethink who we trust? (http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/)
'Iranian' attackers forge Google's Gmail credentials'
http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/
T3h noes, more paranoid blurb, futile attempts to avoid responsibility and mud flinging by Melih. Soooooo lame. ::)
-
like I said in a previous post, we might never know how it started. The Comodo guy didn't talk until someone from the Tor network (attacked too btw) found out about Comodo fraudulent certs.
-
off topic but interesting:
Facebook traffic mysteriously passes through Chinese ISP
http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/
-
Why not take the Comodo issue directly to Comodo ???
It would be a lot nicer to do it directly on the Comodo forum (https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-certificates-incl-mozilla-once-again-t70973.0.html). :0
Or are you afraid of the Comodo Dragon and would rather not post there ???
-
Why not take the Comodo issue directly to Comodo ???
Or are you afraid of the Comodo Dragon and would rather not post there ???
Because I already got banned there for posting about the issue? ::)
-
Bob the issue is:
1 solved now for us users, on most affected platforms
2 goes far beyond Comodo's scope of actions; the issue is global, and Comodo was just the button that had to be triggered. Doesn't mean that I trust their CEO's version of how it happened.
If serious action is ever taken against Comodo >>> MS + Google + Yahoo + Skype + Mozilla etc... will do that. It's pointless going to their forums to discuss the issue, while it remains interesting to comment it here.
-
goes far beyond Comodo's scope of actions; the issue is global, and Comodo was just the button that had to be triggered. Doesn't mean that I trust their CEO's version of how it happened.
Yeah that too. Plus the whole way this blunder has been kept secret for over a week has been completely stupid in the first place. There were easy actions to remedy the situation meanwhile by disabling Comodo's and their resellers' root certificates, on the other hand - I totally fail to see who benefited from non-disclosure (beyond the fraud guys). Certainly not users. This completely evades me. FAIL. :-X >:(
-
Because I already got banned there for posting about the issue? ::)
You've got banned because your posts intuito personae against Melih.
We have a problem, a situation.
You can post very hard without getting banned.
As solution, Firefox 4 and IE 9 are protected by default.
IE8 users should change manually a setting.
In any case, update Windows.
Hopefully this causes the industry players to audit not only their own security systems and policies, but those of their trusted partners as well. As the problem of transitive trust remains inherent in the PKI, it's about every link in the chain, not just your own.
http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/
-
goes far beyond Comodo's scope of actions; the issue is global, and Comodo was just the button that had to be triggered.
+1
There were easy actions to remedy the situation meanwhile by disabling Comodo's and their resellers' root certificates, on the other hand - I totally fail to see who benefited from non-disclosure (beyond the fraud guys). Certainly not users. This completely evades me. FAIL. :-X >:(
+1
-
As solution, Firefox 4 and IE 9 are protected by default.
Sadly - nope, even with FF4, OSCP is still not set to consider the certificate invalid when it cannot contact the OSCP server by default. So, this can repeat any time again without users knowledge.
-
As solution, Firefox 4 and IE 9 are protected by default.
Sadly - nope, even with FF4, OSCP is still not set to consider the certificate invalid when it cannot contact the OSCP server by default. So, this can repeat any time again without users knowledge.
You're right. My fault. Users of Firefox 4 should do it manually.
-
As solution, Firefox 4 and IE 9 are protected by default.
Sadly - nope, even with FF4, OSCP is still not set to consider the certificate invalid when it cannot contact the OSCP server by default. So, this can repeat any time again without users knowledge.
You're right. My fault. Users of Firefox 4 should do it manually.
Tech,
There was a whole week that no one knew (almost no one) about the issue.
You can't protect against something you know nothing about.
-
well Google did ;D ... and so did the others, but just Google issued a revocation list through an update on Chrome beta on March 15. But yeah, noone really talked.
-
SSL meltdown: a cyber war attack?
http://www.h-online.com/security/news/item/SSL-meltdown-a-cyber-war-attack-1214104.html
-
There was a whole week that no one knew (almost no one) about the issue.
You can't protect against something you know nothing about.
Agree.
But Microsoft knows that: they've changed the default on IE9 for a reason.
Google seems to knew that.
And also Comodo...
And also Mozilla does not change the default on Firefox 4...
Is anybody thinking on users?
-
Is anybody thinking on users?
http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/page2.html
The decision by Google, Microsoft, Mozilla and Comodo to keep the world in the dark for eight days comes as a slap in the face to their users.
-
Is anybody thinking on users?
1/ Comodo? Gah, no way. They only care about $$$$$$$$$ revenue, they will be happy to issue anyone with a certificate and even put that on their trusted vendors list as a bonus. Enjoy signing your malware and have it run nicely on systems "protected" by CIS.
2/ Mozilla? Nope, not really. I suspect they get money for including CAs into their browser. CACert.org - still not added despite requested and after years of users complaining. CNNIC (controlled directly by Chinese govt.) got there pretty much silently and after a huge outrage it's still there and no action will be taken apparently. Comodo's root certificates still there despite the previous blunder, and don't hold your breath for them to disappear after this one either.
3/ MS? Hmmmm.... $$$$$$$$$. As long as it pisses off their corporate customers, they will care. Otherwise, meh.
::)
-
hmm... Comodo's becoming a net celebrity ;D
http://j.mp/e4Osq0
... may be not the way they expected ???
-
anyone knows how to import a CRL in Firefox? doesn't seem to work. There's no prompt to navigate in Windows when attempting to import and pasting the link manually doesn't have any effect...
ps: I know that OCSP validation + connection check is enough, but I still want to know why I cannot import a CRL...
-
It only takes URLs - try file://path/to/the/file.crl
-
It only takes URLs - try file://path/to/the/file.crl
oh okay thanks ;)
edit: okay worked ;)
-
okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars
-
okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars
Thanks Logos; very good article.
-
okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars
Thanks Logos; very good article.
you're welcome :)
-
A very good article (http://"http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars") explaining man-in-the-middle (MITM) attack, the failure of the Certificate Authorities (CAs) model and Comodo's colossal screw up.
The mathematics behind the authentication and encryption are pretty robust (at least given current knowledge), so those parts are reasonably safe. But an awful lot of trust is placed on those root CAs. If a root CA starts issuing certificates to people that it shouldn't—giving a hacker a certificate purporting to be [Mozilla, Microsoft, Google, Skype, Yahoo...], say—then the whole system collapses. The hacker can act as a man-in-the-middle and the client's Web browser will actually trust his certificate. No warning about self-signed certificates; everything will just work as if nothing were wrong.
And that's exactly what one of the root CAs, Comodo, has done. Nine times. A user account belonging to a Comodo "Trusted Partner" based in Southern Europe was hacked, and this hacked account was used to issue nine fraudulent certificates. [...] The hacked user account has been suspended, and the company has instituted "additional audits and controls" of an entirely unspecified nature.
Further detective work by Applebaum revealed that the blacklisted certificates were issued by Salt Lake City-based Comodo reseller UserTrust.
The chain of trust is broken [...] This is not the first time that a bogus certificate has been issued. Back in 2001, Verisign [...] [but] This attack was worse than those previous incidents, however. [...] A single hack of a CA, or coercion of a CA in an despotic regime, means that a malicious party can produce a certificate that essentially every device on the Internet will trust, allowing interception and eavesdropping of secure communications. [...] The current chain of trust concept is endemic, and the commercial nature of most root CAs means that they will apply pressure to keep the current system.
The centralized trust model doesn't work.
Thanks Logos for finding the article.
-
Seems addons for man-in-the-middle attacks.
SSL Guard (https://addons.mozilla.org/en-US/firefox/addon/sslguard/) (some comments are related to lack of browsing).
Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/).
Can people help testing them?
-
I'll give a shot to certificate patrol, already saw it yesterday ;)
-
For Logos:
http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html
:P
-
okay about Certificate Patrol: on the info side it doesn't bring anything more that what's already available from Firefox. Otherwise, there are options that should be able, if activated, to alert you on suspicious changes.
-
For Logos:
http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html
:P
;D lol yeah I know, but I don't use Safari desktop at all, I just use the mobile version where there's no options at all :D see screen shot, add to that private data clearing, web site storage, and you've seen all safari settings on iPhone/iPod
edit: and no there is no security settings section in iOS
-
lol yeah I know, but I don't use Safari desktop at all, I just use the mobile version where there's no options at all :D see screen shot, add to that private data clearing, web site storage, and you've seen all safari settings on iPhone/iPod
edit: and no there is no security settings section in iOS
That is a grand fail. :( There's really no other browser for this thing?
-
lol yeah I know, but I don't use Safari desktop at all, I just use the mobile version where there's no options at all :D see screen shot, add to that private data clearing, web site storage, and you've seen all safari settings on iPhone/iPod
edit: and no there is no security settings section in iOS
That is a grand fail. :( There's really no other browser for this thing?
there's Opera mini, and it's crap, a stripped down version of Opera Mobile, lagging like hell. All the coding work is done at server level. Otherwise there's "Firefox home", just a oneway synced interface with FF4.
Okay basically Apple doesn't allow the installation of a full third party browser on iDevices. Meaning that due to Apple restrictions, full FF4 mobile for instance or Opera mobile will never be available on iPhone/iPod/iPad.
ps: and last but not least, when you install the stripped down versions I described, you get an alert from Apple warning you that you're installing software that may contain adult content ;D
sorry for the off topic guys ;)
-
Okay basically Apple doesn't allow the installation of a full third party browser on iDevices.
Edit: ROTFLMAO @ XXX warning. ;D
-
@doktornotor read my ps in the last post ;D
-
SSL Guard (https://addons.mozilla.org/en-US/firefox/addon/sslguard/) (some comments are related to lack of browsing).
Not compatible with Firefox 4.
Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/).
Hmmm... Not sure if it is really working.
-
More related reading stuff...
Revocation doesn't work
http://www.imperialviolet.org/2011/03/18/revocation.html
You can configure Firefox to be strict about checking if you wish: security.OCSP.require in about:config
Fake SSL Certificate Incident Highlights Flaws in DNS: Comodo CEO
http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws-in-DNS-Comodo-CEO-440985/
Protect Safari from Fraudulent Digital Certificates
http://blog.intego.com/2011/03/24/protect-safari-from-fraudulent-digital-certificates/
-
Revocation doesn't work
http://www.imperialviolet.org/2011/03/18/revocation.html
Hmmm, so...
A much better solution would be for certificates to only be valid for a few days and to forget about revocation altogether. This doesn't mean that the private key needs to change every few days, just the certificate.
I find this idea plain ridiculous. Not really keen on calling my bank every X days to verify the certificate fingerprint. Uh. ::) ???
-
Hmmm, so...
The quoted part might be interesting to some. ;)
-
Comodo Certificate Issue – Follow Up
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/
In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.
-
Thanks Asyn, very good and serene reading.
-
yeah Asyn, that's interesting, proof that people, Mozilla here, won't take Comodo's explanations for granted and will keep investigating. I bet MS, Skype, Google and Yahoo are doing the same, the issue is too bad to be forgotten with a revocation list and a few patches, there's too much involved, global internet security and privacy are involved. Not even mentioning that on the legal side, there's probably an investigation going on at administration level in the US.
-
mozilla wiki - CA:Comodo Misissuance Response
https://wiki.mozilla.org/CA:Comodo_Misissuance_Response
-
Thanks Asyn, very good and serene reading.
NP, Tech. :)
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
also this:
http://forums.comodo.com/news-announcements-feedback-cis/cis-certifications-test-results-reviews-t61263.0.html;msg505376#msg505376
okay ... I'm not sure the second link has anything to do with this thread ;D
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
okay ... I'm not sure the second link has anything to do with this thread ;D
i thought it was talking about its ssl, but i didnt read all of it so it might not.
edited to remove non topic post.
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
also this:
http://forums.comodo.com/news-announcements-feedback-cis/cis-certifications-test-results-reviews-t61263.0.html;msg505376#msg505376
okay ... I'm not sure the second link has anything to do with this thread ;D
Comodo fanboy. ;)
-
http://www.h-online.com/security/news/item/Single-hacker-claims-responsibility-for-Comodo-certificate-theft-1216417.html (http://www.h-online.com/security/news/item/Single-hacker-claims-responsibility-for-Comodo-certificate-theft-1216417.html)
Hard to believe.
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
also this:
http://forums.comodo.com/news-announcements-feedback-cis/cis-certifications-test-results-reviews-t61263.0.html;msg505376#msg505376
okay ... I'm not sure the second link has anything to do with this thread ;D
Comodo fanboy. ;)
nah that was when i used comodo before switching to avast, though it still in my top 3 choices.
-
nah that was when i used comodo before switching to avast, though it still is my second favorite.
One more post and you can go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice. ;)
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
If you really believe that that letter comes from the actual hacker(s),
I have a bridge in Brooklyn I'd like to sell you. ;D
-
http://www.h-online.com/security/news/item/Single-hacker-claims-responsibility-for-Comodo-certificate-theft-1216417.html (http://www.h-online.com/security/news/item/Single-hacker-claims-responsibility-for-Comodo-certificate-theft-1216417.html)
Hard to believe.
Mikko made a good point here: https://twitter.com/mikkohypponen/status/52115796398321664
Do we really believe that a lone hacker gets into a CA, can generate any cert he wants..and goes after login.live.com instead of paypal.com?
-
Hard to believe.
Do we really believe that a lone hacker gets into a CA, can generate any cert he wants..and goes after login.live.com instead of paypal.com?
Well, as long as the private key matches... ::)
https://bugzilla.mozilla.org/show_bug.cgi?id=642395#c86
-
comomod pasted this on there facebook page
http://pastebin.com/74KXCaEZ
If you really believe that that letter comes from the actual hacker(s),
I have a bridge in Brooklyn I'd like to sell you. ;D
been looking for a bridge for a while ;D ...
... this said, the guy is being taken seriously, and he's been providing the corresponding private keys so. But this doesn't mean that noone else is involved.
@Asyn: this mikko on twitter didn't make any point, he just stated something.
-
@Asyn: this mikko on twitter didn't make any point, he just stated something.
Do you mean this was bad English..??
Btw, about this mikko: http://mikko.hypponen.com/
PS: After the hack, http://www.instantssl.it has just now returned online.
-
@Asyn: this mikko on twitter didn't make any point, he just stated something.
Do you mean this was bad English..??
Btw, about this mikko: http://mikko.hypponen.com/
PS: After the hack, http://www.instantssl.it has just now returned online.
what I mean is that he's just saying something without arguing ::) ... this is for the tweet. As to who he is or what he does, I had no idea, the tweets doesn't contain any link.
taken out of the context of a conversation probably on twitter, this doesn't mean much:
Do we really believe that a lone hacker gets into a CA, can generate any cert he wants..and goes after login.live.com instead of paypal.com?
-
As to who he is or what he does, I had no idea, the tweets doesn't contain any link.
Now you know him. ;)
http://mikko.hypponen.com/bio.htm
-
As to who he is or what he does, I had no idea, the tweets doesn't contain any link.
Now you know him. ;)
http://mikko.hypponen.com/bio.htm
oh isn't he that guy who use to race for McLaren ??? ... okay, now I remember him ;)
-
Comodo: two more resellers were compromised
https://groups.google.com/group/mozilla.dev.security.policy/msg/58aacd037258d3e4?pli=1
Two further RA accounts have since been compromised and had RA
privileges withdrawn. No further mis-issued certificates have
resulted from those compromises.
-
Comodo: two more resellers were compromised
https://groups.google.com/group/mozilla.dev.security.policy/msg/58aacd037258d3e4?pli=1
Two further RA accounts have since been compromised and had RA
privileges withdrawn. No further mis-issued certificates have
resulted from those compromises.
Too complex reading... Can anybody say what did really happen or is happening?
-
Too complex reading... Can anybody say what did really happen or is happening?
Too complex..??? ;)
Well, here's the short version: http://www.h-online.com/security/news/item/Comodo-two-more-resellers-were-compromised-1218517.html
-
Now it's better and in plain English :)
-
http://www.wilderssecurity.com/showthread.php?t=295617 seems to get pretty thorough updating.
-
Too complex reading... Can anybody say what did really happen or is happening?
Sure thing. Comodo sucks goats nuts... and more. ;D
-
lol ;D ;D ;D
-
Sorry if it was posted before...
But a serene and very good reading about what happened, what have been done, the responsibility of each part of the process.
http://samuelsidler.com/2011/03/28/timeline-of-comodo-certificate-compromise/
-
Sorry if it was posted before...
I like the timeline approach.
But it's not complete, newer info has been posted here already...
-
Technical reading for the weekend. ;)
https://datatracker.ietf.org/doc/draft-hallambaker-donotissue/?include_text=1
-
Well I find Outpost in many ways ahead to comodo. And how can comodo help me if a 21 years old boy from Iran hacked into its system and generated 4-5 Security Certificates ??
What is the minimum relationship between the Comodo firewall and the certificates issued?
This is just FUD.
-
What is the minimum relationship between the Comodo firewall and the certificates issued?
Hmmm... the TVL perhaps?
-
As a 21 years old boy can hack into their system with so ease I wonder if they can't defend their own system then how come mine??
They were using "gtadmin" (gt stands for Global Trust) as their username and the password was "globaltrust" isn't it a good joke for a company who is issuing a Security Public key and Private one also and uses such a weak username and password. Then how can I trust their firewall policies???
-
And ya as this is not a comodo forum or Outpost one so better leave this topic here only.
But comodo needs to grow more. Thanks for your support....
-
Hmmm... the TVL perhaps?
No, absolutely nothing.
As a 21 years old boy can hack into their system
Which system? The boy entered the certification and SSL system which does not belong only to Comodo.
Did you read the technical information about the subject?
I wonder if they can't defend their own system then how come mine??
It's not their system. It's your system. It's our Internet.
They were using "gtadmin" (gt stands for Global Trust) as their username and the password was "globaltrust" isn't it a good joke for a company who is issuing a Security Public key and Private one also and uses such a weak username and password.
A serious link reporting this issue, please.
Then how can I trust their firewall policies???
Which software will you trust then?
avast?
Are you sure avast didn't make any mistake in the past?
C'mon... Hint: statistics of the forum and date 3-12-09 will show you one trouble problem in our history...
-
Hmmm... the TVL perhaps?
No, absolutely nothing.
Really? Doing absolutely sloppy job with highly sensitive things such as RAs, how much work do you think goes into verification of so called "trusted" vendors hardcoded into CIS? Well, I can tell you - absolutely none. Pay for the certs and sign whatever you want, you will get on TVL as a bonus so that your malware installs cleanly without hassle for users. Quite a couple of threads about this on Comodo forums, incl. a trojan signed by fake Trend Micro cert. ::) >:(
-
Hmmm... the TVL perhaps?
No, absolutely nothing.
Really? Doing absolutely sloppy job with highly sensitive things such as RAs, how much work do you think goes into verification of so called "trusted" vendors hardcoded into CIS? Well, I can tell you - absolutely none. Pay for the certs and sign whatever you want, you will get on TVL as a bonus so that your malware installs cleanly without hassle for users. Quite a couple of threads about this on Comodo forums, incl. a trojan signed by fake Trend Micro cert. ::) >:(
+1 I already didn't trust Comodo anymore before that...this ssl disaster fits Comodo so well... ie I don't trust their "official" versions of what happened at all. I now would consider any of their product potentially malicious.
-
A serene and very good reading about what happened, what have been done, the responsibility of each part of the process.
http://samuelsidler.com/2011/03/28/timeline-of-comodo-certificate-compromise/
-
A serene and very good reading about what happened, what have been done, the responsibility of each part of the process.
http://samuelsidler.com/2011/03/28/timeline-of-comodo-certificate-compromise/
you know what Tech, that's off topic in this thread I know but the only "serene" reading I will have will be the reports of a probably underway FBI - or other relevant official administration - investigation. The issue is bad, really bad, and I'd be surprised if MS, yahoo and Google didn't file a complaint. A few million users + major actors on the Internet scene could have been badly compromised, and Comodo won't get away with it with a few declarations ;D
-
I will have will be the reports of a probably underway FBI - or other relevant official administration - investigation.
Let's FBI investigate all Microsoft, Adobe, Google, Firefox... vulnerabilities and bugs before...
-
I will have will be the reports of a probably underway FBI - or other relevant official administration - investigation.
Let's FBI investigate all Microsoft, Adobe, Google, Firefox... vulnerabilities and bugs before...
is that supposed to be funny or what? ... no, I think you were serious :D compare apples to apples, then come back to argue seriously ::)
-
Comodo already acknowledged the attack. Try to put the measures to hold it.
Browsers take days to get a solution.
If anything could be better is that we could have know before and nobody said...
Comodo is the victim, not the thieve.
Internet security was bypassed and dropped by a malicious action.
This is a security forum.
And a lot of you are on the hacker's side.
-
Comodo is the victim
... of their own sloppy security practices. They have been compromised back in 2008 and they have apparently learned no lessons at all, in fact it seems that they have gotten much worse since then.
-
And a lot of you are on the hacker's side.
???
-
And a lot of you are on the hacker's side.
???
Just see how Comodo is being talked about...
They did a mistake. Huge. But they're the victim. We are the victims.
Can't you read that?
-
... of their own sloppy security practices.
And do you have proves of that... I mean, particularly? Which are these "sloppy security practices" and why do you think that other CA do not follow exactly the same "sloppy security practices"?
What do you think about browser manufacturers delay on warning the public?
Is Microsoft also with this "sloppy security practices" when it releases an operational system with security holes?
Or Linux? Or Apple? Or any other security company?
They have been compromised back in 2008 and they have apparently learned no lessons at all, in fact it seems that they have gotten much worse since then.
Not really. And you know that. The new attack is different from the one on 2008 that was never repeated identically again. Can anybody guarantee the future? Is anybody untouchable? Maybe you can throw the first stone...
-
Just see how Comodo is being talked about...
They did a mistake. Huge. But they're the victim. We are the victims.
Can't you read that?
They are being talked about as they well deserve. Once again, I urge you to read the Mozilla mailing list debate about the 2008 compromise. So many assurances they will improve their policies and procedures. And what has happened? Three years later, no policies/procedures fixed, and instead of 1 RA now at least 3 got compromised. Hardcoding usernames/passwords in DLL, using a password that can be cracked in minutes via dictionary attack. Also, there are talks among people from the resellers branch that their API is in fact totally insecured and they could easily get whatever certificates they wanted.
I would suggest the Melih guy to focus less on pompous PR and crap like the "entrepreneur of the year" title, and get back to basics. And to get serious with security, instead of pretending to secure people just in order to earn money.
For me, Comodo and their RAs certificates should be kicked out from FF and from the Microsoft trusted store as well. Come back in 5-10 years and show us some substantial meat wrt how you have become serious about security. Comodo's today practises are a bad joke security wise. >:( :-X
-
We are the victims.
That's true. :(
-
Comodo's bound to disappear. That's a self-programmed process that started years ago. They had "brilliant" goals and they achieved none, apart may be from building the most laughable community on the Internet.
-
Comodo's bound to disappear. That's a self-programmed process that started years ago. They had "brilliant" goals and they achieved none, apart may be from building the most laughable community on the Internet.
This is another issue. That could be discussed.
But it is not on the origin and the valid arguments to take the hacker's side. Don't you think?
By the way, do you remember December 3, 2009?
-
u're on crack Tech? ;D
Read your own words ;D
oh that hurts ;D ...
-
By the way, do you remember December 3, 2009?
;)
-
Tech, nobody is on the hacker's side, here..!! ;)
-
Tech, nobody is on the hacker's side, here..!! ;)
Not "the" hacker's but the hackers' (plural).
-
Tech, nobody is on the hacker's side, here..!! ;)
forget it, he'll stop posting as soon as he understands that...( if he ever does) and we want to have fun don't we ;D
-
We want to have fun don't we ;D
Sure... Why not?
Fool each other and also have fun? Why not? ;D
-
Tech, nobody is on the hacker's side, here..!! ;)
Not "the" hacker's but the hackers' (plural).
Seems you're in a bad mood today..!?? :-X
-
By the way, do you remember December 3, 2009?
;)
Bump...
-
By the way, do you remember December 3, 2009?
;)
Bump...
okay come on that must be important you're posting that for the third time... alright what happened on dec 3 2009 ??? related to something I posted on Comodo forums? I really haven't got a clue...
-
Seems you're in a bad mood today..!?? :-X
No, I'm not. I'm not a bitter man or angry or fanboy or against-all-specially-this guy ... well, sometimes :)
okay come on that must be important you're posting that for the third time... alright what happened on dec 3 2009 ??? related to something I posted on Comodo forums? I really haven't got a clue...
Lol... Now I've laught :)
Hint... the end of http://forum.avast.com/index.php?action=forum page...
-
Most Online Today: 470. Most Online Ever: 2321 (December 03, 2009, 05:26:19 AM)
so what ??? how is that related to anything we're talking about now...
-
so what ??? how is that related to anything we're talking about now...
avast was in the center of a big ... mistake ... trouble ... :)
Everybody does mistakes and get in trouble...
I was here in December, 3 2009... I was one of the 2321 users online... And so were David, Bob... Maybe Polonus...
We all learn from that :)
-
You know, there is a huge difference between a genuine mistake and years and years of bad practices. If Avast had been like Comodo, they would have ended up as Spybot nowadays. ::)
-
oh okay... the FP disaster... I haven't been caught, explaining may be why I forgot that date ;D
hmm... tech this is no valid argument. That was a technical accident. Exactly the sort of technical accident that happens once in a while to all AV companies, to Symantec, AVG etc... noone ever thought that these companies would get wiped off the map for this...
And again, you're not comparing apples to apples, Comodo's ssl incident was not an accident.
-
avast update police was completely overwritten after that...
I think a security company learns... oh, man, it learns...
Was avast fault? Well... yes. Do they acknowledge? Of course! Did I lost my confidence on avast? No... not for a minute.
Search the forum for Win32:Delf-MZG keyword...
People lost data... money... time...
-
Comodo's ssl incident was not an accident.
They were attacked with a criminal action passive of judgment and jail called hacking.
Edited: typo.
-
They were attacked with a criminal action passive of judgment and jail called hackering.
Well, LOL. It's like blaming the thief when you left the doors and windows wide open. And again, they come with more promises, which will never get done. Like - two factor authentication and whatnot. I mean, OMG guys, you should have implemented two factor authentication years and years ago. One would reasonable expect that to be a required practice for things like root CA. There are a whole lot smaller and less serious operations that are using it. Or, well, better validation procedure. OH RLY? You have promissed that 3 years ago. Since then, nothing happened. Just lots of corporate blurb and no action done. FAIL.
-
By the way, do you remember December 3, 2009?
;)
But avast didn't try to blame Iran for its FP (assume this is what you mean) in the first instance did it ???
No it didn't they owned up to the problem and said exactly why it happened and put measures in place to try and prevent it happening again.
Hell they are meant to be a security company issuing security certificates, you think they would have measure in place to prevent these from being compromised.
-
Comodo's ssl incident was not an accident.
They were attacked with a criminal action passive of judgment and jail called hackering.
that's called "hacking" ;D ... whoever did it, that was done purposely, that's what I meant, that was no accident. Not much to do with Avast FP story.
-
Well, LOL. It's like blaming the thief when you left the doors and windows wide open.
No, not really. Other CAs take the same security measures.
Should you stay all the time with all your doors and windows closed? You need to take reasonable measures, extra ones... But, after all, you're not the thieve, or... maybe, are you?
And again, they come with more promises, which will never get done.
And why not?
Does all the security of all the world of all internet standards are just in one hand of the ... you-know-who's hand?
All the partners involved in the security depends, c'mon, of just a single CEO?
-
But avast didn't try to blame Iran for its FP
interesting ;D
-
But avast didn't try to blame Iran for its FP (assume this is what you mean) in the first instance did it ???
Comodo acknowledged the problem 15 minutes after it occurred and warned all the browser manufacturers.
They explain it as being from Iran government. You can trust it or not.
No it didn't they owned up to the problem and said exactly why it happened and put measures in place to try and prevent it happening again.
The events timeline: http://samuelsidler.com/2011/03/28/timeline-of-comodo-certificate-compromise/
Don't they put an effort to solve it?
-
Solving it isn't quite the same as having the protection in place to start with, closing the stable door.
-
Comodo acknowledged the problem 15 minutes after it occurred and warned all the browser manufacturers.
sorry tech as far as I know, well from what I read a few times, Comodo did acknowledge the issue after someone from the TOR network (put at risk in Iran at the same period of time btw) found out about the fake certificates. The guy contacted Comodo immediately and then Comodo reacted. Meaning that they reacted as soon as the issue was about to be made public. The 15 minutes timing is questionable ;D
-
Well, LOL. It's like blaming the thief when you left the doors and windows wide open.
No, not really. Other CAs take the same security measures.
Oh really? So other CAs also hardcode their credentials into a DLL? ::) ;D
-
well from what I read a few times, Comodo did acknowledge the issue after someone from the TOR network (put at risk in Iran at the same period of time btw) found out about the fake certificates.
But that guy found out about the certificates from browser updates, right? (i.e. the companies must have already been notified)
I'm wondering... is this thread really still on topic? ::)
-
off topic: :D poor Ashish Singh, what we've done with his thread... I suggest that all Comodo ssl related posts would be moved to the already existent thread here: http://forum.avast.com/index.php?topic=74516.msg617347#msg617347
-
I'm wondering... is this thread really still on topic? ::)
It isn't. ;)
But it would be here: http://forum.avast.com/index.php?topic=74516.0
-
I suggest that all Comodo ssl related posts would be moved to the already existent thread here: http://forum.avast.com/index.php?topic=74516.msg617347#msg617347
I second that request, but unfortunately I yet have to see a single thread getting split/merged here.
-
well from what I read a few times, Comodo did acknowledge the issue after someone from the TOR network (put at risk in Iran at the same period of time btw) found out about the fake certificates.
But that guy found out about the certificates from browser updates, right? (i.e. the companies must have already been notified)
I have to find the articles again... if that's the case... and you might well be right... I'd withdraw this argument... partially ;) ... but one thing is sure, he contacted Comodo and that's exactly when Comodo made the issue public...
-
I suggest that all Comodo ssl related posts would be moved to the already existent thread here: http://forum.avast.com/index.php?topic=74516.msg617347#msg617347
I second that request, but unfortunately I yet have to see a single thread getting split/merged here.
surprise ;D
-
I second that request, but unfortunately I yet have to see a single thread getting split/merged here.
Great. Igor did it. :)
Thanks,
asyn
-
surprise ;D
:o :o :o
BTW, here is the article to save your time: https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
-
I have to repost the link for the weekend, though.
Technical reading for the weekend. ;)
https://datatracker.ietf.org/doc/draft-hallambaker-donotissue/?include_text=1
-
Btw, slightly off (this) topic, but do you remember even VeriSign issued certificates in the name of Microsoft - to somebody who wasn't Microsoft?
OK, it probably wasn't a hack, but rather social engineering... but the point is that things like that happened, happen... and will happen.
There's a number of certificate-stealing malware out there... so it's probably only a matter of time till we see an abused high-profile certificate; whether the CA was hacked, or the certificate owner, won't matter much for the end user.
-
@Igor ...just for info
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars/2
http://www.freedom-to-tinker.com/blog/sjs/web-browsers-and-comodo-disclose-successful-certificate-authority-attack-perhaps-iran
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
-
surprise ;D
:o :o :o
BTW, here is the article to save your time: https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
lol I just posted that link ;D (post above)
-
...but the point is that things like that happened, happen... and will happen.
That's why we try to stop it, igor. ;)
https://wiki.mozilla.org/CA:Comodo_Misissuance_Response
-
again, why didn't Comodo talk publicly before they got contacted by Appelbaum ??? ... Google didn't talk either when patching Chrome "silently", then there's been a whole week while Mozilla was aware of the issue, didn't talk either (for security concerns they say...and I believe them... don't ask why I just trust Mozilla) and finally patched FF 3.6 and 4.0 Patch is a big word, as I haven't seen any CRL imported through an update, just an extra OCSP setting checked, that wasn't checked by default before that. MS didn't talk either.
Could be that Comodo kept the issue secret for a week for security concerns as well, ie until they got contacted by the Tor dev, meaning that they then didn't have any other choice but disclose everything. I'd just like to be sure that they kept the secret for security concerns, and nothing else.... I have no idea how MS Google Yahoo Mozilla and Skype got alerted, by Comodo or not? if so, when? the precise date matters.
-
Patch is a big word, as I haven't seen any CRL imported through an update, just an extra OCSP setting checked, that wasn't checked by default before that. MS didn't talk either.
Well, they have hard-blacklisted the certificates in NSS library. The OSCP settings still sadly remain unchanged and this basically useless by default.
As for the delayed publication, Mozilla publicly acknowledged this was a mistake.
-
This is the most intriguing part of the story... The silence...
Should the users be alerted? Google took few days, Mozilla a little more, Microsoft a week, Apple more than a week...
And the users... nothing :'(
-
As for the delayed publication, Mozilla publicly acknowledged this was a mistake.
Yep. :)
http://forum.avast.com/index.php?topic=74516.msg618955#msg618955
-
again I'd like to know if MS+Google+Yahoo+Mozilla+Skype
1 got alerted by users that got re-routed to fake sites and complained
2 got alerted technically by observing the traffic (somehow ???)
3 or got alerted by Comodo
I may have missed the info... don't know if this was mentioned. I haven't read the articles I mentioned here entirely. Gotta do that, that's like a thriller somehow 8)
-
Got alerted by Comodo.
-
Got alerted by Comodo.
link?
-
link?
https://bugzilla.mozilla.org/show_bug.cgi?id=642395#c0
-
link?
https://bugzilla.mozilla.org/show_bug.cgi?id=642395#c0
okay thx
-
http://news.cnet.com/8301-31921_3-20050255-281.html
Ideas from that:
There is no automated process to revoke fraudulent certificates.
There is no public list of certificates that companies have issued, or even which of its resellers or partners have been given a duplicate set of the master keys.
There are no mechanisms to prevent fraudulent certificates from being issued by compromised companies, or repressive regimes bent on surveillance, some of which have their own certificate authorities.
-
They were attacked with a criminal action passive of judgment and jail called hacking.
FBI and Italian police are investigating.
http://news.cnet.com/8301-31921_3-20048525-281.html
-
Tech,
Why aren't you posting this on the Comodo Forum which are the folks that
are directly effected by all of this ?
-
Tech,
Why aren't you posting this on the Comodo Forum which are the folks that
are directly effected by all of this ?
You also could do that, Bob. ;)
-
Why would I ???
-
They were attacked with a criminal action passive of judgment and jail called hacking.
FBI and Italian police are investigating.
http://news.cnet.com/8301-31921_3-20048525-281.html
okay thanks for the heads up, I've been expecting that for a little while.
-
Why would I ???
Why should he...?? ;)
-
Because it concerns Comodo and it's his discovered link not mine.
I think Tech can answer for himself. ;)
-
I think Tech can answer for himself. ;)
You're right..!
Sorry. :-X
-
I think Tech can answer for himself. ;)
You're right..!
Sorry. :-X
Crying is not good for your complexion.... :)
-
I think Tech can answer for himself. ;)
You're right..!
Sorry. :-X
Crying is not good for your complexion.... :)
Time to get new glasses, Bob. ;)
-
Tech,
Why aren't you posting this on the Comodo Forum which are the folks that are directly effected by all of this ?
Most of the links are posted there before than here.
I'm just posting there IF it was not posted before.
-
yeah, and personally, I prefer to read about it here than.. there ;)