Author Topic: Comodo issues fraudulent Google, Microsoft, Mozilla, Skype, Yahoo certificates  (Read 27673 times)

Offline doktornotor

  • Comodo's Hero
  • *****
  • Posts: 222
So, here goes the reason behind FF RC2 release.

Detecting Certificate Authority compromises and web browser collusion

Firefox Blocking Fraudulent Certificates


SSL meltdown forces browser developers to update

Update #1: Microsoft Releases Security Advisory 2524375

Quote
This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows Live ID users via login.live.com.

Update #2: The other fraudulent certificates issued by Comodo include:
- login.skype.com
- login.yahoo.com (3x)
- mail.google.com
- www.google.com

Wow, well done - so not just addons.mozilla.org among the high profile stuff...  :rocks:

P.S. Previous Comodo vs. Mozilla fiasco from 2008 and the Mozilla bugzilla aftermath (now once again alive and kicking).

We have seen this many times with so called "trusted" vendors list in CIS, haven't we? Eagerly awaiting comments from "Creating Trust Online (TM)" CEO.  88) :-TD
« Last Edit: March 23, 2011, 01:58:19 PM by doktornotor »

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.


Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
If there was a secure and trusted DNS this issue would be a moot point!

We need a Secure and Trusted DNS!

Now we are living in a new era where people who provide Authentication to end users are target for State-funded entities! Its a new era indeed.....brace yourselves....

Melih
« Last Edit: March 23, 2011, 06:17:39 PM by Melih »

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline bob3160

  • avast! Contractor
  • Comodo Family Member
  • ***
  • Posts: 83
  • Organ donors lead extended lives!
Quote
We need a Secure and Trusted DNS!

open DNS  Google Public DNS

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
open DNS  Google Public DNS

also Comodo Secure DNS..

but there are many inherent problems.

We have made a proposal to the Cabforum last year to resolve these issues. We will double our effort in creating a new standard that will make DNS a tad bit more secure..and this will be a good starting point.

Melih

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
open DNS  Google Public DNS

What Melih is referring to is DNSSEC

Small article Can we replace certificates with DNSSEC ?

If you're using firefox I'd strongly recommend you make a change in about:config

Change 'security.OCSP.require' from false to true.

Online Certificate Status Protocol

You can also look at implementing an extension, such as:

Network Notary
Certificate Patrol

“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
What Melih is referring to is DNSSEC

Small article Can we replace certificates with DNSSEC ?

If you're using firefox I'd strongly recommend you make a change in about:config

Change 'security.OCSP.require' from false to true.

Online Certificate Status Protocol

You can also look at implementing an extension, such as:

Network Notary
Certificate Patrol



Indeed...and some people think DNSSEC is it...they don't realise its not....
Comodo has been involved in getting new standard for DNS called CAA.

this is a wake up call (should be)..to everyone who thinks DNS is safe......

Melih

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Indeed...and some people think DNSSEC is it...they don't realise its not....
Comodo has been involved in getting new standard for DNS called CAA.

this is a wake up call (should be)..to everyone who thinks DNS is safe......

Melih


The problem with using DNSSEC as an alternative to SSL/TLS is that it is inherently prone to interference by the owners of the TLDs. This is something that happens now with CAs, in some countries. With a switch to DNSSEC the focus will just switch to the TLDs.

Personally, I don't think this 'interference' is/will be limited to the less than democratic regimes, either. With the US Government wanting even more control over ICANN, likewise the UK Government and Nominet, there is every reason to believe they will/could do what ever they wish with DNSSEC.

So, wherever you've got planned for CAA, I hope it will offer a more robust system, which is less prone to 'outside interference'. Perhaps something based around TOFU/POP.
« Last Edit: March 24, 2011, 03:42:39 AM by Radaghast »
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline bob3160

  • avast! Contractor
  • Comodo Family Member
  • ***
  • Posts: 83
  • Organ donors lead extended lives!
http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/page2.html

Quote
The decision by Google, Microsoft, Mozilla and Comodo to keep the world in the dark for eight days comes as a slap in the face to their users.

“The attackers had all they needed,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor. “Knowing which certificates have been compromised gives an immediate step people can take to secure their systems.”

None of the companies would explain why they waited so long to disclose the attack.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
The problem with using DNSSEC as an alternative to SSL/TLS is that it is inherently prone to interference by the owners of the TLDs. This is something that happens now with CAs, in some countries. With a switch to DNSSEC the focus will just switch to the TLDs.

Personally, I don't think this 'interference' is/will be limited to the less than democratic regimes, either. With the US Government wanting even more control over ICANN, likewise the UK Government and Nominet, there is every reason to believe they will/could do what ever they wish with DNSSEC.

So, wherever you've got planned for CAA, I hope it will offer a more robust system, which is less prone to 'outside interference'. Perhaps something based around TOFU/POP.

here is the CAA draft proposal.

http://tools.ietf.org/html/draft-hallambaker-donotissue-03


Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
here is the CAA draft proposal.

http://tools.ietf.org/html/draft-hallambaker-donotissue-03

Bob3160: pls read and learn....we pay our people to help create standards for people...not for sending them to other forums to do "negative blogging/posting".....



Edit by EricJH: fixed the quote structure
« Last Edit: March 24, 2011, 01:19:03 PM by EricJH »

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
here is the CAA draft proposal.

http://tools.ietf.org/html/draft-hallambaker-donotissue-03

Bob3160: pls read and learn....we pay our people to help create standards for people...not for sending them to other forums to do "negative blogging/posting".....

Bob: you should be ashamed of doing what you do to a Company like Comodo who is spending its own money to create standards that the whole world will benefit from. Honestly, do be ashamed.


Edit by EricJH: fixed quote
« Last Edit: March 24, 2011, 01:20:16 PM by EricJH »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek