Comodo under attack.

Update Windows (for IE), update Chrome and other browsers.
Firefox does not follow Microsoft (IE9) on blocking this attack to certificates by default. Why?
I did not find a good road map for the average Joe.
I’ve changed the authentication options of Firefox, but every time I open the browse I got a warning…

There will always be narrow minded people in the world.
Does not seem to be case of this article in my opinion.

Sorry I seem to be missing something, they did issue a new release on v4, 3.6.x and 3.5.x?

They don’t seem to set the “about:config” security.ocsp.require to true though, someone concerned could double click the entry to set it from false to true so it needs ocsp verification to succeed before continuation.

Microsoft has changed the default behavior with certificates on IE9.
Mozilla does not change their default policy of certificates (and the average Joe is unprotected).
Is Mozilla hiding any economic agreement with Certificates Authorities? (I’ve asked this on Wilders: SSL certificate authority Comodo compromised - update your browsers! | Page 2 | Wilders Security Forums).

I’ve done it by interface. Deleted an old certificate stored and now everything is working.
But, again, it’s not for average Joe.

AFAIK this post has some details on that…
https://bugzilla.mozilla.org/show_bug.cgi?id=643056

Why do believe firefox users are any less protected, following this issue, than IE or Chrome users?

Is Mozilla hiding any economic agreement with Certificates Authorities? (I've asked this on Wilders: http://www.wilderssecurity.com/showthread.php?p=1847930#post1847930)..

If you’re referring to the inclusion of the CNNIC certificate, indeed it was and is a controversial decision. The entire process was discussed ages ago on the moz.dev.security.policy board:

http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/10239cabe69283f4
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c

Personally, I always remove the trust items from that certificate and a few others. Unfortunately, they can only be deleted by the Mozilla NSS team.

I've done it by interface. Deleted an old certificate stored and now everything is working. But, again, it's not for average Joe.

There is very little the ‘average’ use can do, assuming the ‘average’ user is even aware of the situation. For those that do have an interest and are prepared to do something, about the best you can do, is see what your browser of choice has to offer by way of additional protection, if any.

For now, the ‘Certificate Trust Model’ is not about to change, as there’s far too much at steak for the CAs. However, there are various proposals in the wind, but none of them will be landing any day soon.

The best we, as end-users, can hope for is a change to the way Certificate Revocation is handled. If a more robust system were put in place, we might all feel slightly better protected.

Seems addons for man-in-the-middle attacks.

SSL Guard (some comments are related to lack of browsing).
Certificate Patrol.

Can people help testing them?

Microsoft released IE9 with different default settings. Microsoft released a Windows Update for it.
Google released a new version of the browser.
Mozilla seems to be delayed the release of version 4, but did not change the settings (open for this attacks).
None of them said nothing to the users! That is what p*ss me up!

No, I’m not talking about that.

Any proposal depends in a lot of money… and the users are left behind.
Seems that Mozilla already recognized that they took the wrong decision and should have warned the users about the problem much before.

Average Joe does not know what to do…

Radaghast has mentioned he uses this one. Perhaps he will speak up.

I didn’t read all but does this the same as when you SSH in to a box and the KEY changed you get a “BIG WARNING!” ??

SSL Guard (some comments are related to lack of browsing).
Not compatible with Firefox 4.

Certificate Patrol.
Hmmm… Not sure if it is really working.

Incorrect, I’m afraid. There were updates to firefox 3.5, 3.6 and version 4 received an impromptu RC2 before final release.

You can read the whole bug here https://bugzilla.mozilla.org/show_bug.cgi?id=643056#c22

No, I'm not talking about that.

Then what are you talking about?

Any proposal depends in a lot of money... and the users are left behind.

Not just money. Are ‘users’ ever consulted when a major change takes place to the infrastructure of the Internet?

Seems that Mozilla already recognized that they took the wrong decision and should have warned the users about the problem much before.

You mean in the same way Google did on the 17th March, when they updated their browser. If you read the link I posted above, all three browser owners decided to hold of announcing anything until everyone was ready. In fact, the decision was primarily orchestrated by Microsoft.

Mozilla announced the issue on the 22nd http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ when they had patched their browsers. Microsoft made their updates on the 23rd. http://www.microsoft.com/technet/security/advisory/2524375.mspx

Subsequently, Mozilla have issued a follow-up Comodo Certificate Issue - Follow Up - Mozilla Security Blog and also regret delaying the notification to users Mozilla regrets keeping quiet on SSL certificate theft I don’t see much in the way of apologies from Google or Microsoft. I see even less from Apple and Opera, apart from:

Unfortunately, OCSP and CRL have both been seen as problematic and prone to failure.

Why revocation does not work

Average Joe does not know what to do...

As already stated, there is little the ‘average’ user can do.

Certificate Patrol. Hmmm... Not sure if it is really working.

It works fine.

You can also try Perspectives

Radaghast, seems I was wrong and read incorrectly the Firefox upgrades. Sorry.

Oh no, I’m not bashing Mozilla only… I think the users must know what was happening. The others didn’t do better than Mozilla I’ll say. I have lived situations where the security vendor automatically recognizes the error/problem. I believe in transparency. I trust in people who do that.

By the way, my browser is Firefox 4…

No worries. I too believe all concerned should have done a much better job informing their users and issuing their respective patches earlier. Unfortunately, there’s more going on here than we’re being told. No doubt the full story will emerge, eventually…

Firefox 4 is doing quite well, there are problems, but they’ll be addressed as we go forward. I use the nightly build, so I’m currently using 4.2a1pre, which will eventually make way for version 5. (although there may be an couple of interim releases…)

A very good and serene reading about what happened, the Comodo and Mozilla actions.

I’ve already given that link in the post above…

Sorry. Too many posts and links about the same.

Have you ever seen Hacker’s response:

Sounds like a self-congratulatory political diatribe from an attention seeking wannabe.

... I should mention my age is 21

And this matters, why?

Follow-up post Another proof of Hack from Comodo Hacker - Pastebin.com

public ASCR ()
                    {
                            this.url = "https://secure.comodo.net/products/";
                            this.url_nos = "https://secure.comodo.net/products/";
                            this.login = "gtadmin";
                            this.password = "TRIMMEDIT";
                            this.numberOfTries = 5;
                    }</blockquote>

If that’s true, it’s pretty poor…

I heard that some stupids tried to ask about it from Iran's ambassador in UN, really? How smartass you are? Where were you when [b]Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA systems and Nuclear softwares?[/b] Why no one asked a question from Israel and USA ambassador to UN? So you can't ask about SSL situtation from my ambassador, I answer your question about situtation: "Ask about Stuxnet from USA and Israel", this is your answer, so don't waste my Iran's ambassador's worthy time.

When [b]USA and Isrel can read my emails in Yahoo, Hotmail, Skype, Gmail, etc. without any simple

little problem,[/b] when they can spy using Echelon, I can do anything I can. It’s a simple rule. You do,

I do, that’s all. You stop, I don’t stop. It’s a rule, rule #1 (My Rules as I rule to internet, you should know it

already…)

Rule#2: So why all the world worried, internet shocked and all writers write about it, but nobody

writes about Stuxnet anymore? Nobody writes about HAARP, nobody writes about Echelon… So nobody

should write about SSL certificates.

Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced

terrorists, should afraid of me personally. I won’t let anyone inside Iran, harm people of Iran, harm

my country’s Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you

won’t be able to do so. as I live, you don’t have privacy in internet, you don’t have security in

digital world, just wait and see…By the way, you already have seen it or you are blind, is there any larger target than a CA in internet?


Seems like I am not a crazy conspiracy nut after all… :stuck_out_tongue:
I would like some explanation, please…

That remains to be seen. :wink:

I assume the bold highlighting is yours. But, it’s not exactly clear (to me at least) what you would like an explanation on or from whom.