Author Topic: Comodo - SSL issues  (Read 83172 times)

0 Members and 1 Guest are viewing this topic.

doktornotor

  • Guest
Re: Comodo - SSL issues
« Reply #30 on: March 24, 2011, 11:48:48 AM »
SOPHOS: Fraudulent certificates issued by Comodo, is it time to rethink who we trust?


'Iranian' attackers forge Google's Gmail credentials'
http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/

T3h noes, more paranoid blurb, futile attempts to avoid responsibility and mud flinging by Melih. Soooooo lame.  ::)
« Last Edit: March 24, 2011, 11:52:16 AM by doktornotor »

Hermite15

  • Guest
Re: Comodo - SSL issues
« Reply #31 on: March 24, 2011, 12:04:50 PM »
like I said in a previous post, we might never know how it started. The Comodo guy didn't talk until someone from the Tor network (attacked too btw) found out about Comodo fraudulent certs.

Hermite15

  • Guest
Re: Comodo - SSL issues
« Reply #32 on: March 24, 2011, 12:09:51 PM »
off topic but interesting:
Quote
Facebook traffic mysteriously passes through Chinese ISP
http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Comodo - SSL issues
« Reply #33 on: March 24, 2011, 12:37:44 PM »
Why not take the Comodo issue directly to Comodo ???
It would be a lot nicer to do it directly on the Comodo forum. :0
Or are you afraid of the Comodo Dragon and would rather not post there  ???
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

doktornotor

  • Guest
Re: Comodo - SSL issues
« Reply #34 on: March 24, 2011, 12:40:40 PM »
Why not take the Comodo issue directly to Comodo ???
Or are you afraid of the Comodo Dragon and would rather not post there  ???

Because I already got banned there for posting about the issue?  ::)

Hermite15

  • Guest
Re: Comodo - SSL issues
« Reply #35 on: March 24, 2011, 12:44:02 PM »
Bob the issue is:

1 solved now for us users, on most affected platforms
2 goes far beyond Comodo's scope of actions; the issue is global, and Comodo was just the button that had to be triggered. Doesn't mean that I trust their CEO's version of how it happened.

If serious action is ever taken against Comodo >>> MS + Google + Yahoo + Skype + Mozilla etc... will do that. It's pointless going to their forums to discuss the issue, while it remains interesting to comment it here.
« Last Edit: March 24, 2011, 12:46:06 PM by Logos »

doktornotor

  • Guest
Re: Comodo - SSL issues
« Reply #36 on: March 24, 2011, 12:52:25 PM »
goes far beyond Comodo's scope of actions; the issue is global, and Comodo was just the button that had to be triggered. Doesn't mean that I trust their CEO's version of how it happened.

Yeah that too. Plus the whole way this blunder has been kept secret for over a week has been completely stupid in the first place. There were easy actions to remedy the situation meanwhile by disabling Comodo's and their resellers' root certificates, on the other hand - I totally fail to see who benefited from non-disclosure (beyond the fraud guys). Certainly not users. This completely evades me. FAIL.  :-X >:(

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Comodo - SSL issues
« Reply #37 on: March 24, 2011, 01:11:28 PM »
Because I already got banned there for posting about the issue?  ::)
You've got banned because your posts intuito personae against Melih.
We have a problem, a situation.
You can post very hard without getting banned.

As solution, Firefox 4 and IE 9 are protected by default.
IE8 users should change manually a setting.
In any case, update Windows.

Quote
Hopefully this causes the industry players to audit not only their own security systems and policies, but those of their trusted partners as well. As the problem of transitive trust remains inherent in the PKI, it's about every link in the chain, not just your own.
http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Comodo - SSL issues
« Reply #38 on: March 24, 2011, 01:14:25 PM »
goes far beyond Comodo's scope of actions; the issue is global, and Comodo was just the button that had to be triggered.
+1

There were easy actions to remedy the situation meanwhile by disabling Comodo's and their resellers' root certificates, on the other hand - I totally fail to see who benefited from non-disclosure (beyond the fraud guys). Certainly not users. This completely evades me. FAIL.  :-X >:(
+1
The best things in life are free.

doktornotor

  • Guest
Re: Comodo - SSL issues
« Reply #39 on: March 24, 2011, 01:15:48 PM »
As solution, Firefox 4 and IE 9 are protected by default.

Sadly - nope, even with FF4, OSCP is still not set to consider the certificate invalid when it cannot contact the OSCP server by default. So, this can repeat any time again without users knowledge.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Comodo - SSL issues
« Reply #40 on: March 24, 2011, 01:17:24 PM »
As solution, Firefox 4 and IE 9 are protected by default.

Sadly - nope, even with FF4, OSCP is still not set to consider the certificate invalid when it cannot contact the OSCP server by default. So, this can repeat any time again without users knowledge.
You're right. My fault. Users of Firefox 4 should do it manually.
The best things in life are free.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Comodo - SSL issues
« Reply #41 on: March 24, 2011, 01:27:04 PM »
As solution, Firefox 4 and IE 9 are protected by default.

Sadly - nope, even with FF4, OSCP is still not set to consider the certificate invalid when it cannot contact the OSCP server by default. So, this can repeat any time again without users knowledge.
You're right. My fault. Users of Firefox 4 should do it manually.
Tech,
There was a whole week that no one knew (almost no one) about the issue.
You can't protect against something you know nothing about.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Hermite15

  • Guest
Re: Comodo - SSL issues
« Reply #42 on: March 24, 2011, 01:40:40 PM »
well Google did ;D ... and so did the others, but just Google issued a revocation list through an update on Chrome beta on March 15. But yeah, noone really talked.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Comodo - SSL issues
« Reply #43 on: March 24, 2011, 01:43:31 PM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Comodo - SSL issues
« Reply #44 on: March 24, 2011, 01:49:45 PM »
There was a whole week that no one knew (almost no one) about the issue.
You can't protect against something you know nothing about.
Agree.
But Microsoft knows that: they've changed the default on IE9 for a reason.
Google seems to knew that.
And also Comodo...
And also Mozilla does not change the default on Firefox 4...

Is anybody thinking on users?
The best things in life are free.