Comodo - SSL issues

[Lisandro]

Is anybody thinking on users?

http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/page2.html

The decision by Google, Microsoft, Mozilla and Comodo to keep the world in the dark for eight days comes as a slap in the face to their users.

[doktornotor]

Is anybody thinking on users?

1/ Comodo? Gah, no way. They only care about $$$$$$$$$ revenue, they will be happy to issue anyone with a certificate and even put that on their trusted vendors list as a bonus. Enjoy signing your malware and have it run nicely on systems "protected" by CIS.

2/ Mozilla? Nope, not really. I suspect they get money for including CAs into their browser. CACert.org - still not added despite requested and after years of users complaining. CNNIC (controlled directly by Chinese govt.) got there pretty much silently and after a huge outrage it's still there and no action will be taken apparently. Comodo's root certificates still there despite the previous blunder, and don't hold your breath for them to disappear after this one either.

3/ MS? Hmmmm.... $$$$$$$$$. As long as it pisses off their corporate customers, they will care. Otherwise, meh.

 

[Hermite15]

hmm... Comodo's becoming a net celebrity
http://j.mp/e4Osq0

... may be not the way they expected

[Hermite15]

anyone knows how to import a CRL in Firefox? doesn't seem to work. There's no prompt to navigate in Windows when attempting to import and pasting the link manually doesn't have any effect...

ps: I know that OCSP validation + connection check is enough, but I still want to know why I cannot import a CRL...

[doktornotor]

It only takes URLs - try file://path/to/the/file.crl

[Hermite15]

It only takes URLs - try file://path/to/the/file.crl

oh okay thanks

edit: okay worked

[Hermite15]

okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars

[sded]

okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars

Thanks Logos; very good article.

[Hermite15]

okay there are tones of articles, this one - among others - sounds interesting:
http://arstechnica.com/security/news/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars

Thanks Logos; very good article.

you're welcome

[Lisandro]

A very good article explaining man-in-the-middle (MITM) attack, the failure of the Certificate Authorities (CAs) model and Comodo's colossal screw up.

The mathematics behind the authentication and encryption are pretty robust (at least given current knowledge), so those parts are reasonably safe. But an awful lot of trust is placed on those root CAs. If a root CA starts issuing certificates to people that it shouldn't—giving a hacker a certificate purporting to be [Mozilla, Microsoft, Google, Skype, Yahoo...], say—then the whole system collapses. The hacker can act as a man-in-the-middle and the client's Web browser will actually trust his certificate. No warning about self-signed certificates; everything will just work as if nothing were wrong.

And that's exactly what one of the root CAs, Comodo, has done. Nine times. A user account belonging to a Comodo "Trusted Partner" based in Southern Europe was hacked, and this hacked account was used to issue nine fraudulent certificates. [...] The hacked user account has been suspended, and the company has instituted "additional audits and controls" of an entirely unspecified nature.

Further detective work by Applebaum revealed that the blacklisted certificates were issued by Salt Lake City-based Comodo reseller UserTrust.

The chain of trust is broken [...] This is not the first time that a bogus certificate has been issued. Back in 2001, Verisign [...] [but] This attack was worse than those previous incidents, however. [...] A single hack of a CA, or coercion of a CA in an despotic regime, means that a malicious party can produce a certificate that essentially every device on the Internet will trust, allowing interception and eavesdropping of secure communications. [...] The current chain of trust concept is endemic, and the commercial nature of most root CAs means that they will apply pressure to keep the current system.

The centralized trust model doesn't work.

Thanks Logos for finding the article.

[Lisandro]

Seems addons for man-in-the-middle attacks.

SSL Guard (some comments are related to lack of browsing).
Certificate Patrol.

Can people help testing them?

[Hermite15]

I'll give a shot to certificate patrol, already saw it yesterday

[doktornotor]

For Logos:
http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html

 

[Hermite15]

okay about Certificate Patrol: on the info side it doesn't bring anything more that what's already available from Firefox. Otherwise, there are options that should be able, if activated, to alert you on suspicious changes.

[Hermite15]

For Logos:
http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html

 

  lol yeah I know, but I don't use Safari desktop at all, I just use the mobile version where there's no options at all see screen shot, add to that private data clearing, web site storage, and you've seen all safari settings on iPhone/iPod

edit: and no there is no security settings section in iOS