Phony Web Certs Issued For Google, Yahoo, Skype 151
Gunkerty Jeb writes "A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc."
Firefox/IE patches released,Comodo incident report (Score:5, Informative)
Comodo’s advisory:
http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Firefox released 3.6.16 yesterday:
http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
Microsoft released an advisory and patch yesterday:
Advisory: http://www.microsoft.com/technet/security/advisory/2524375.mspx
Patch: http://support.microsoft.com/kb/2524375
Re:Better Internet for Everybody (Score:4, Informative)
Yeah! We should ban such third world hellholes as the United States, Japan, Canada, Italy, Germany and the United Kingdom! They are all in the top 10 for spamming, according to Spamhaus. The others are China, Russia, Brazil, and Argentina.
Re:Patches? (Score:5, Informative)
What, they don't support revocation lists already?
Firefox, to take an example, supports offline revocation lists (i.e. imported from files) or Online Certificate Status Protocol for automatically verifying certificates. Both of these are optional, although OCSP is enabled by default for certificates that specify an OCSP server in their details. Comodo do use OCSP, so this should be dealt with automatically for most firefox users. However, some may have disabled OCSP, and for these a CRL must be installed to revoke the certificates. The easiest way to persuade people to do this is by pushing a patch that contains it.
Re:CRLs? (Score:5, Informative)
Are CRLs completely broken and unused?
Yes, they are. [imperialviolet.org]
Re:CRLs? (Score:2, Informative)
You may want to read http://www.imperialviolet.org/2011/03/18/revocation.html [imperialviolet.org]
Things You Can Do On Your Own (Score:5, Informative)
Neither of these are perfect, but here are two different firefox add-ons that can significantly reduce the chance of you falling victim to a compromised certificate authority:
Network Notary [networknotary.org] - sort of crowd-sourcing approach
Certificate Patrol [mozilla.org] - remembers the certs of sites you've visited in the past and tells you when they change
Re:Firefox/IE patches released,Comodo incident rep (Score:3, Informative)
http://www.mozilla.org/security/announce/2011/mfsa2011-11.html [mozilla.org]
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ [mozilla.com]
Re:And the CAs do ... what again? (Score:4, Informative)
Shouldn't be much longer ...
http://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1 [ietf.org]
Well unless the CA's pay off Mozilla/Microsoft/Apple not to implement it.