Comodo issues fraudulent Google, Microsoft, Mozilla, Skype, Yahoo certificates

So, here goes the reason behind FF RC2 release.

Detecting Certificate Authority compromises and web browser collusion

Firefox Blocking Fraudulent Certificates

SSL meltdown forces browser developers to update

Update #1: Microsoft Releases Security Advisory 2524375

This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows [b]Live ID users via[/b]

Update #2: The other fraudulent certificates issued by Comodo include:

Wow, well done - so not just among the high profile stuff… :rocks:

P.S. Previous Comodo vs. Mozilla fiasco from 2008 and the Mozilla bugzilla aftermath (now once again alive and kicking).

We have seen this many times with so called “trusted” vendors list in CIS, haven’t we? Eagerly awaiting comments from “Creating Trust Online ™” CEO. 88) :-TD

If there was a secure and trusted DNS this issue would be a moot point!

We need a Secure and Trusted DNS!

Now we are living in a new era where people who provide Authentication to end users are target for State-funded entities! Its a new era indeed…brace yourselves…


Update your Windows!

We need a Secure and Trusted DNS!

open DNS Google Public DNS

also Comodo Secure DNS…

but there are many inherent problems.

We have made a proposal to the Cabforum last year to resolve these issues. We will double our effort in creating a new standard that will make DNS a tad bit more secure…and this will be a good starting point.


What Melih is referring to is DNSSEC

Small article Can we replace certificates with DNSSEC ?

If you’re using firefox I’d strongly recommend you make a change in about:config

Change ‘security.OCSP.require’ from false to true.

Online Certificate Status Protocol

You can also look at implementing an extension, such as:

Network Notary
Certificate Patrol

Indeed…and some people think DNSSEC is it…they don’t realise its not…
Comodo has been involved in getting new standard for DNS called CAA.

this is a wake up call (should be)…to everyone who thinks DNS is safe…


The problem with using DNSSEC as an alternative to SSL/TLS is that it is inherently prone to interference by the owners of the TLDs. This is something that happens now with CAs, in some countries. With a switch to DNSSEC the focus will just switch to the TLDs.

Personally, I don’t think this ‘interference’ is/will be limited to the less than democratic regimes, either. With the US Government wanting even more control over ICANN, likewise the UK Government and Nominet, there is every reason to believe they will/could do what ever they wish with DNSSEC.

So, wherever you’ve got planned for CAA, I hope it will offer a more robust system, which is less prone to ‘outside interference’. Perhaps something based around TOFU/POP.

The decision by Google, Microsoft, Mozilla and Comodo to keep the world in the dark for eight days comes as a slap in the face to their users.

“The attackers had all they needed,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor. “Knowing which certificates have been compromised gives an immediate step people can take to secure their systems.”

None of the companies would explain why they waited so long to disclose the attack.

It’s actually worth reading the complete bug at Mozilla to understand why they did what they did. Not that it makes it right…

here is the CAA draft proposal.

Bob3160: pls read and learn…we pay our people to help create standards for people…not for sending them to other forums to do “negative blogging/posting”…

Edit by EricJH: fixed the quote structure

Bob: you should be ashamed of doing what you do to a Company like Comodo who is spending its own money to create standards that the whole world will benefit from. Honestly, do be ashamed.

Edit by EricJH: fixed quote

Greetz, Red.

Heh… I’m from Russia…
Here you can see article on russian.
I still wonder how long “informational” resources (almost No.1 in Russia) will do such … wrong articles :wink:

A very good and serene reading about what happened, the Comodo and Mozilla actions.

Why isn’t Comodo requiring their subordinate CAs to use one-time password tokens? Static passwords have no business being in a trust chain.