Technical

[doktornotor]

This issue was reported to us by the Comodo Group, Inc., the certificate authority responsible for issuing the fraudulent certificates.

Oh, what a surprise. We've been discussing this a couple of days ago wrt CIS vendor whitelists, haven't we?  

Comodo vs Mozilla 2008 story (also here).

Oh, and on a preventive note: How to disable the Comodo reseller root certificate in Firefox. (For IE and Chrome, certmgr.msc MMC snap-in is your friend.  )

[Asyn]

This issue was reported to us by the Comodo Group, Inc., the certificate authority responsible for issuing the fraudulent certificates.

Oh, what a surprise. We've been discussing this a couple of days ago wrt CIS vendor whitelists, haven't we?  

Yes, you a right, doc..!! It's really a big surprise.

[bob3160]

Isn't "Trust" what Comodo sells

[Asyn]

Isn't "Trust" what Comodo sells

Bad job then.

[doktornotor]

Isn't "Trust" what Comodo sells

Let's have some phun: Comodo issues fraudulent certificates (incl. Mozilla) once again @ Comodo forums. Wondering how long will the thread last.  

EDIT: Thread moved to Policy Violations forum after banning me (Requires registation @ Melih's hunted by Iran government forums )

[Asyn]

Wondering how long will the thread last.  

I wonder, too.
You may add this, if you like...

SSL meltdown forces browser developers to update
http://www.h-online.com/security/news/item/SSL-meltdown-forces-browser-developers-to-update-1213358.html

[doktornotor]

SSL meltdown forces browser developers to update
http://www.h-online.com/security/news/item/SSL-meltdown-forces-browser-developers-to-update-1213358.html

Thanks. Couldn't agree more with this:

The incident is further proof that the entire concept of SSL and of users' trust in the Certificate Authorities are standing on feet of clay. After all, a certificate is also considered trustworthy even if it is issued by a CA reseller based in a country to which users probably wouldn't even go on holiday for security reasons. And the promised technologies don't even work when a compromised certificate is made public. It is time to come up with a new concept – and "EV-SSL" certificates, at least, should not be a part of it.

[Asyn]

NP, doc..!!
Now, let's sit and wait for the replies.

[doktornotor]

NP, doc..!!
Now, let's sit and wait for the replies.

Looks like the Comodo morons also issued a fraudulent certificate for login.live.com (Windows Live ID), not just addons.mozilla.org  

Microsoft Releases Security Advisory 2524375

Today we're releasing Security Advisory 2524375, to address nine fraudulent digital certificates issued by Comodo Group Inc, a root certificate authority. Comodo has since revoked the digital certificates. This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows Live ID users via login.live.com. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against end users. We are unaware of any active attacks.

Wow, and login.skype.com, login.yahoo.com and www.google.com and mail.google.com - just excellent.

Already got KB2524375 via Windows Update.

[doktornotor]

Ok, guys, now it's official, no sloppy job or anything, instead - Iran has attacked Melih and Comodo!!!!.

Who is attacking it?
We believe these are “politically motivated”, “state driven/funded” attacks.

Why do we think these are state driven/funded?
Well, one of the origin of the attack that we experienced is from Iran, what is being obtained would enable the perpetrator to intercept web based email/communication and the only way this could be done is if the perpetrator had access to the Country’s DNS infrastructure (and we believe it might be the case here). Of course this is our interpretation of the situation.

First time we are seeing a “state funded” attack against the “Authentication” infrastructure. The Threat Model is changing and Comodo had already initiated a proposal for new standards in 2010 which would help mitigate some of these attacks. We will make sure to double our efforts in getting industry wide acceptance to these much needed standards so that we can continue to defend our security and freedom.

 

P.S. Mozilla Bug 642395 - Deal with bogus certs issued by Comodo partner

[doktornotor]

Let's have some phun: Comodo issues fraudulent certificates (incl. Mozilla) once again @ Comodo forums. Wondering how long will the thread last.  

Did not last long:

An Error Has Occurred!
Sorry doktornotor, you are banned from using this forum!
Forum Policy Violation

P.S. Thread moved here: (requires registration). Well whatever - here's the sequel for you. Bye bye Comodo. Sincerely yours, Comodo's Hero.  

[YoKenny]

Let's have some phun: Comodo issues fraudulent certificates (incl. Mozilla) once again @ Comodo forums. Wondering how long will the thread last.  

Did not last long:

An Error Has Occurred!
Sorry doktornotor, you are banned from using this forum!
Forum Policy Violation

P.S. Thread moved here: (requires registration). Well whatever - here's the sequel for you. Bye bye Comodo. Sincerely yours, Comodo's Hero.  

Comodo's Melih does not like critics. 

[bob3160]

https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-google-microsoft-mozilla-skype-yahoo-certificates-t70990.0.html

[doktornotor]

https://forums.comodo.com/ssl-certificate/comodo-issues-fraudulent-google-microsoft-mozilla-skype-yahoo-certificates-t70990.0.html

Haha... Well, as I said on the original thread - their image cannot be harmed much more no matter how much their censored the forums...

Oh, and remember, Iran government is going after them! 

[Lisandro]

I've started the discussion in a neutral field.
http://www.wilderssecurity.com/showthread.php?p=1847026#post1847026