Comodo under attack.

[Guest]

[Radaghast]

Microsoft released IE9 with different default settings. Microsoft released a Windows Update for it.
Google released a new version of the browser.
Mozilla seems to be delayed the release of version 4, but did not change the settings (open for this attacks).
None of them said nothing to the users! That is what p*ss me up!

Incorrect, I'm afraid. There were updates to firefox 3.5, 3.6 and version 4 received an impromptu RC2 before final release.

You can read the whole bug here https://bugzilla.mozilla.org/show_bug.cgi?id=643056#c22

No, I'm not talking about that.

Then what are you talking about?

Any proposal depends in a lot of money... and the users are left behind.

Not just money. Are 'users' ever consulted when a major change takes place to the infrastructure of the Internet?

Seems that Mozilla already recognized that they took the wrong decision and should have warned the users about the problem much before.

You mean in the same way Google did on the 17th March, when they updated their browser.  If you read the link I posted above, all three browser owners decided to hold of announcing anything until everyone was ready. In fact, the decision was primarily orchestrated by Microsoft.

Mozilla announced the issue on the 22nd http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ when they had patched their browsers. Microsoft made their updates on the 23rd. http://www.microsoft.com/technet/security/advisory/2524375.mspx

Subsequently, Mozilla have issued a follow-up http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/ and also regret delaying the notification to users Mozilla regrets keeping quiet on SSL certificate theft I don't see much in the way of apologies from Google or Microsoft. I see even less from Apple and Opera, apart from:

http://my.opera.com/community/forums/topic.dml?id=942542
http://www.h-online.com/security/news/item/Tip-Activating-certificate-checks-in-Safari-1215476.html

Unfortunately, OCSP and CRL have both been seen as problematic and prone to failure. 

Why revocation does not work

Average Joe does not know what to do...

As already stated, there is little the 'average' user can do.

Certificate Patrol.
Hmmm... Not sure if it is really working.

It works fine.

You can also try Perspectives

[Tech]

Radaghast, seems I was wrong and read incorrectly the Firefox upgrades. Sorry.

I don't see much in the way of apologies from Google or Microsoft. I see even less from Apple and Opera

Oh no, I'm not bashing Mozilla only... I think the users must know what was happening. The others didn't do better than Mozilla I'll say. I have lived situations where the security vendor automatically recognizes the error/problem. I believe in transparency. I trust in people who do that.

By the way, my browser is Firefox 4...

[Radaghast]

Radaghast, seems I was wrong and read incorrectly the Firefox upgrades. Sorry.
Oh no, I'm not bashing Mozilla only... I think the users must know what was happening. The others didn't do better than Mozilla I'll say. I have lived situations where the security vendor automatically recognizes the error/problem. I believe in transparency. I trust in people who do that.

By the way, my browser is Firefox 4...

No worries. I too believe all concerned should have done a much better job informing their users and issuing their respective patches earlier. Unfortunately, there's more going on here than we're being told. No doubt the full story will emerge, eventually...

Firefox 4 is doing quite well, there are problems, but they'll be addressed as we go forward. I use the nightly build, so I'm currently using 4.2a1pre, which will eventually make way for version 5. (although there may be an couple of interim releases...)


 

[Tech]

A very good and serene reading about what happened, the Comodo and Mozilla actions.
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

[Radaghast]

A very good and serene reading about what happened, the Comodo and Mozilla actions.
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

I've already given that link in the post above...

[Tech]

I've already given that link in the post above...

Sorry. Too many posts and links about the same.

[ichsun]

Have you ever seen Hacker's response:
http://pastebin.com/74KXCaEZ

[Radaghast]

Sounds like a self-congratulatory political diatribe from an attention seeking wannabe.

... I should mention my age is 21

And this matters, why?

Follow-up post http://pastebin.com/DBDqm6Km

public ASCR ()
                       
                        {
                                this.url = "https://secure.comodo.net/products/";
                                this.url_nos = "https://secure.comodo.net/products/";
                                this.login = "gtadmin";
                                this.password = "TRIMMEDIT";
                                this.numberOfTries = 5;
                        }

If that's true, it's pretty poor...

[kagun]

I heard that some stupids tried to ask about it from Iran's ambassador in UN, really? How smartass you are?
Where were you when Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA systems and Nuclear softwares? Why no one asked a question from Israel and USA ambassador to UN?
So you can't ask about SSL situtation from my ambassador, I answer your question about situtation: "Ask about Stuxnet from USA and Israel", this is your answer, so don't waste my Iran's ambassador's worthy time.
 
When USA and Isrel can read my emails in Yahoo, Hotmail, Skype, Gmail, etc. without any simple
 
little problem, when they can spy using Echelon, I can do anything I can. It's a simple rule. You do,
 
I do, that's all. You stop, I don't stop. It's a rule, rule #1 (My Rules as I rule to internet, you should know it
 
already...)
 
Rule#2: So why all the world worried, internet shocked and all writers write about it, but nobody
 
writes about Stuxnet anymore? Nobody writes about HAARP, nobody writes about Echelon... So nobody
 
should write about SSL certificates.
 
Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced
 
terrorists, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm
 
my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you
 
won't be able to do so. as I live, you don't have privacy in internet, you don't have security in
 
digital world, just wait and see...By the way, you already have seen it or you are blind, is there any larger target than a CA in internet?

Seems like I am not a crazy conspiracy nut after all...
I would like some explanation, please....

[kail]

Seems like I am not a crazy conspiracy nut after all...

That remains to be seen.

I would like some explanation, please....

I assume the bold highlighting is yours. But, it's not exactly clear (to me at least) what you would like an explanation on or from whom.

[kagun]

Sorry, my apologies, I did not format it good enough, my bad!
I would like to know what is Comodo's stance of user privacy, what data is collected and what is being done to ensure user privacy and security on the internet.
What is Comodo's stance on Stuxnet?
Can Comodo protect it's users from intelligence gathering from three-letter-agencies? [I do not say to cover criminals, but to respect privacy of ordinary users!]

It indeed is bold on my part.... 

[Radaghast]

Sorry, my apologies, I did not format it good enough, my bad!
I would like to know what is Comodo's stance of user privacy, what data is collected and what is being done to ensure user privacy and security on the internet.
What is Comodo's stance on Stuxnet?
Can Comodo protect it's users from intelligence gathering from three-letter-agencies? [I do not say to cover criminals, but to respect privacy of ordinary users!]

It indeed is bold on my part.... 

And this has do to with the 'hacked' certificates, what exactly?

[kagun]

The hacker claims to protect himself, his people and his government from cyber attacks, fake protests etc....
Why did he specifically target Comodo when he could do Verizon or other company?

[kail]

Why did he specifically target Comodo when he could do Verizon or other company?

I'm guessing that it's because Verizon isn't a CA.

[kagun]

Sorry, Verisign!
From link: http://en.wikipedia.org/wiki/Certificate_authority#Providers
. A 2009 market share report from Net Craft as of January of that year determined that VeriSign and its acquisitions (which include Thawte and Geotrust) have a 47.5% share of the certificate authority market, followed by GoDaddy (23.4%), and Comodo (15.44%).

[Tags:]