Comodo - SSL issues

[DavidR]

By the way, do you remember December 3, 2009?

But avast didn't try to blame Iran for its FP (assume this is what you mean) in the first instance did it
No it didn't they owned up to the problem and said exactly why it happened and put measures in place to try and prevent it happening again.

Hell they are meant to be a security company issuing security certificates, you think they would have measure in place to prevent these from being compromised.

[Hermite15]

Comodo's ssl incident was not an accident.

They were attacked with a criminal action passive of judgment and jail called hackering.

that's called "hacking"   ... whoever did it, that was done purposely, that's what I meant, that was no accident. Not much to do with Avast FP story.

[Lisandro]

Well, LOL. It's like blaming the thief when you left the doors and windows wide open.

No, not really. Other CAs take the same security measures.
Should you stay all the time with all your doors and windows closed? You need to take reasonable measures, extra ones... But, after all, you're not the thieve, or... maybe, are you?

And again, they come with more promises, which will never get done.

And why not?
Does all the security of all the world of all internet standards are just in one hand of the ... you-know-who's hand?
All the partners involved in the security depends, c'mon, of just a single CEO?

[Hermite15]

But avast didn't try to blame Iran for its FP

interesting

[Lisandro]

But avast didn't try to blame Iran for its FP (assume this is what you mean) in the first instance did it

Comodo acknowledged the problem 15 minutes after it occurred and warned all the browser manufacturers.
They explain it as being from Iran government. You can trust it or not.

No it didn't they owned up to the problem and said exactly why it happened and put measures in place to try and prevent it happening again.

The events timeline: http://samuelsidler.com/2011/03/28/timeline-of-comodo-certificate-compromise/
Don't they put an effort to solve it?

[DavidR]

Solving it isn't quite the same as having the protection in place to start with, closing the stable door.

[Hermite15]

Comodo acknowledged the problem 15 minutes after it occurred and warned all the browser manufacturers.

sorry tech as far as I know, well from what I read a few times, Comodo did acknowledge the issue after someone from the TOR network (put at risk in Iran at the same period of time btw) found out about the fake certificates. The guy contacted Comodo immediately and then Comodo reacted. Meaning that they reacted as soon as the issue was about to be made public. The 15 minutes timing is questionable

[doktornotor]

Well, LOL. It's like blaming the thief when you left the doors and windows wide open.

No, not really. Other CAs take the same security measures.

Oh really? So other CAs also hardcode their credentials into a DLL?   

[igor]

well from what I read a few times, Comodo did acknowledge the issue after someone from the TOR network (put at risk in Iran at the same period of time btw) found out about the fake certificates.

But that guy found out about the certificates from browser updates, right? (i.e. the companies must have already been notified)


I'm wondering... is this thread really still on topic?

[Hermite15]

off topic: poor Ashish Singh, what we've done with his thread... I suggest that all Comodo ssl related posts would be moved to the already existent thread here: http://forum.avast.com/index.php?topic=74516.msg617347#msg617347

[Asyn]

I'm wondering... is this thread really still on topic?

It isn't.
But it would be here: http://forum.avast.com/index.php?topic=74516.0

[doktornotor]

I suggest that all Comodo ssl related posts would be moved to the already existent thread here: http://forum.avast.com/index.php?topic=74516.msg617347#msg617347

I second that request, but unfortunately I yet have to see a single thread getting split/merged here.

[Hermite15]

well from what I read a few times, Comodo did acknowledge the issue after someone from the TOR network (put at risk in Iran at the same period of time btw) found out about the fake certificates.

But that guy found out about the certificates from browser updates, right? (i.e. the companies must have already been notified)

 I have to find the articles again... if that's the case... and you might well be right... I'd withdraw this argument... partially ... but one thing is sure, he contacted Comodo and that's exactly when Comodo made the issue public...

[Hermite15]

I suggest that all Comodo ssl related posts would be moved to the already existent thread here: http://forum.avast.com/index.php?topic=74516.msg617347#msg617347

I second that request, but unfortunately I yet have to see a single thread getting split/merged here.

surprise

[Asyn]

I second that request, but unfortunately I yet have to see a single thread getting split/merged here.

Great. Igor did it.
Thanks,
asyn