Comodo under attack.

[Guest]

[bob3160]

Wish I could answer that question but I don't work for Avast. I'm only a spokes person helping others stay safe on their computer and the internet.

[Melih]

Wish I could answer that question but I don't work for Avast. I'm only a spokes person helping others stay safe on their computer and the internet.

lol

[Tech]

A very good article explaining man-in-the-middle (MITM) attack, the failure of the Certificate Authorities (CAs) model and (like they call) Comodo's colossal screw up.

The mathematics behind the authentication and encryption are pretty robust (at least given current knowledge), so those parts are reasonably safe. But an awful lot of trust is placed on those root CAs. If a root CA starts issuing certificates to people that it shouldn't—giving a hacker a certificate purporting to be [Mozilla, Microsoft, Google, Skype, Yahoo...], say—then the whole system collapses. The hacker can act as a man-in-the-middle and the client's Web browser will actually trust his certificate. No warning about self-signed certificates; everything will just work as if nothing were wrong.

And that's exactly what one of the root CAs, Comodo, has done. Nine times. A user account belonging to a Comodo "Trusted Partner" based in Southern Europe was hacked, and this hacked account was used to issue nine fraudulent certificates. [...] The hacked user account has been suspended, and the company has instituted "additional audits and controls" of an entirely unspecified nature.

Further detective work by Applebaum revealed that the blacklisted certificates were issued by Salt Lake City-based Comodo reseller UserTrust.

The chain of trust is broken [...] This is not the first time that a bogus certificate has been issued. Back in 2001, Verisign [...] [but] This attack was worse than those previous incidents, however. [...] A single hack of a CA, or coercion of a CA in an despotic regime, means that a malicious party can produce a certificate that essentially every device on the Internet will trust, allowing interception and eavesdropping of secure communications. [...] The current chain of trust concept is endemic, and the commercial nature of most root CAs means that they will apply pressure to keep the current system.

The centralized trust model doesn't work.

Edit: Article URL fixed by Sal Amander

[Ronny]

I read a good bunch of posts about the issue and there are a lot of so called experts there, some copy/paste bloggers, most of them have no clue what their writing about, and others just focus on this incident as if it could only happen to Comodo's CA.... wouldn't gaining access to every others CA's RA credentials had the same result?

And completely missing the most important part for average Joe, how do I fix this?

* I'm not trying to defend C here, just trying to show the narrow-minded writing about the issue on some occasions... 

[bob3160]

This isn't picking on Comodo. As Tech already pointed out, this has happened before and the last time it was not Comodo
Stronger safeguards need to be put in place so that this so called "chain of trust" becomes iron clad rather than a weak link.

[Tech]

And completely missing the most important part for average Joe, how do I fix this?

Update Windows (for IE), update Chrome and other browsers.
Firefox does not follow Microsoft (IE9) on blocking this attack to certificates by default. Why?
I did not find a good road map for the average Joe.
I've changed the authentication options of Firefox, but every time I open the browse I got a warning...

I'm not trying to defend C here, just trying to show the narrow-minded writing about the issue on some occasions... 

There will always be narrow minded people in the world.
Does not seem to be case of this article in my opinion.

[Ronny]

Firefox does not follow Microsoft (IE9) on blocking this attack to certificates by default. Why?

Sorry I seem to be missing something, they did issue a new release on v4, 3.6.x and 3.5.x?

They don't seem to set the "about:config" security.ocsp.require to true though, someone concerned could double click the entry to set it from false to true so it needs ocsp verification to succeed before continuation.

[Tech]

Sorry I seem to be missing something, they did issue a new release on v4, 3.6.x and 3.5.x?

Microsoft has changed the default behavior with certificates on IE9.
Mozilla does not change their default policy of certificates (and the average Joe is unprotected).
Is Mozilla hiding any economic agreement with Certificates Authorities? (I've asked this on Wilders: http://www.wilderssecurity.com/showthread.php?p=1847930#post1847930).

They don't seem to set the "about:config" security.ocsp.require to true though, someone concerned could double click the entry to set it from false to true so it needs ocsp verification to succeed before continuation.

I've done it by interface. Deleted an old certificate stored and now everything is working.
But, again, it's not for average Joe.

[Ronny]

AFAIK this post has some details on that...
https://bugzilla.mozilla.org/show_bug.cgi?id=643056

[Radaghast]

...
Mozilla does not change their default policy of certificates (and the average Joe is unprotected).

Why do believe firefox users are any less protected, following this issue, than IE or Chrome users?

Is Mozilla hiding any economic agreement with Certificates Authorities? (I've asked this on Wilders: http://www.wilderssecurity.com/showthread.php?p=1847930#post1847930)..

If you're referring to the inclusion of the CNNIC certificate, indeed it was and is a controversial decision. The entire process was discussed ages ago on the moz.dev.security.policy board:

http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/10239cabe69283f4
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c

Personally, I always remove the trust items from that certificate and a few others. Unfortunately, they can only be deleted by the Mozilla NSS team. 

I've done it by interface. Deleted an old certificate stored and now everything is working.
But, again, it's not for average Joe.

There is very little the 'average' use can do, assuming the 'average' user is even aware of the situation. For those that do have an interest and are prepared to do something, about the best you can do, is see what your browser of choice has to offer by way of additional protection, if any.

For now, the 'Certificate Trust Model' is not about to change, as there's far too much at steak for the CAs. However, there are various proposals in the wind, but none of them will be landing any day soon.

The best we, as end-users, can hope for is a change to the way Certificate Revocation is handled. If a more robust system were put in place, we might all feel slightly better protected.

[Tech]

Seems addons for man-in-the-middle attacks.

SSL Guard (some comments are related to lack of browsing).
Certificate Patrol.

Can people help testing them?

[Tech]

Why do believe firefox users are any less protected, following this issue, than IE or Chrome users?

Microsoft released IE9 with different default settings. Microsoft released a Windows Update for it.
Google released a new version of the browser.
Mozilla seems to be delayed the release of version 4, but did not change the settings (open for this attacks).
None of them said nothing to the users! That is what p*ss me up!

If you're referring to the inclusion of the CNNIC certificate, indeed it was and is a controversial decision. The entire process was discussed ages ago on the moz.dev.security.policy board:

http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/10239cabe69283f4
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c

No, I'm not talking about that.

For now, the 'Certificate Trust Model' is not about to change, as there's far too much at steak for the CAs. However, there are various proposals in the wind, but none of them will be landing any day soon.

Any proposal depends in a lot of money... and the users are left behind.
Seems that Mozilla already recognized that they took the wrong decision and should have warned the users about the problem much before.

The best we, as end-users, can hope for is a change to the way Certificate Revocation is handled. If a more robust system were put in place, we might all feel slightly better protected.

Average Joe does not know what to do...

[HeffeD]

Certificate Patrol.

Radaghast has mentioned he uses this one. Perhaps he will speak up.

[Ronny]

Certificate Patrol.
Can people help testing them?

I didn't read all but does this the same as when you SSH in to a box and the KEY changed you get a "BIG WARNING!" ??

[Tech]

SSL Guard (some comments are related to lack of browsing).
Not compatible with Firefox 4.

Certificate Patrol.
Hmmm... Not sure if it is really working.

[Tags:]