Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phony Web Certs Issued For Google, Yahoo, Skype

Posted by samzenpus on from the bad-apples dept.

Gunkerty Jeb writes "A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc."

8 of 151 comments (clear)

  1. Firefox/IE patches released,Comodo incident report by Anonymous Coward · · Score: 5, Informative

    Comodo’s advisory:

    http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

    Firefox released 3.6.16 yesterday:

    http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/

    Microsoft released an advisory and patch yesterday:

    Advisory: http://www.microsoft.com/technet/security/advisory/2524375.mspx

    Patch: http://support.microsoft.com/kb/2524375

  2. Re:Better Internet for Everybody by zach_the_lizard · · Score: 3, Informative

    Yeah! We should ban such third world hellholes as the United States, Japan, Canada, Italy, Germany and the United Kingdom! They are all in the top 10 for spamming, according to Spamhaus. The others are China, Russia, Brazil, and Argentina.

    --
    SSC
  3. Re:Patches? by julesh · · Score: 4, Informative

    What, they don't support revocation lists already?

    Firefox, to take an example, supports offline revocation lists (i.e. imported from files) or Online Certificate Status Protocol for automatically verifying certificates. Both of these are optional, although OCSP is enabled by default for certificates that specify an OCSP server in their details. Comodo do use OCSP, so this should be dealt with automatically for most firefox users. However, some may have disabled OCSP, and for these a CRL must be installed to revoke the certificates. The easiest way to persuade people to do this is by pushing a patch that contains it.

  4. Re:CRLs? by Anonymous Coward · · Score: 5, Informative

    Are CRLs completely broken and unused?

    Yes, they are.

  5. Re:CRLs? by BZ · · Score: 1, Informative

    You may want to read http://www.imperialviolet.org/2011/03/18/revocation.html

  6. Things You Can Do On Your Own by Jah-Wren+Ryel · · Score: 4, Informative

    Neither of these are perfect, but here are two different firefox add-ons that can significantly reduce the chance of you falling victim to a compromised certificate authority:

    Network Notary - sort of crowd-sourcing approach
    Certificate Patrol - remembers the certs of sites you've visited in the past and tells you when they change

    --
    When information is power, privacy is freedom.
  7. Re:Firefox/IE patches released,Comodo incident rep by kbrosnan · · Score: 3, Informative

    Current releases of 3.6, 4.0 and 3.5 have the fix for this problem
    http://www.mozilla.org/security/announce/2011/mfsa2011-11.html
    http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/

    --
    These people look deep within my soul and assign me a number based upon the order I joined. -Homer Simpson
  8. Re:And the CAs do ... what again? by Pinky's+Brain · · Score: 3, Informative

    Shouldn't be much longer ...

    http://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1

    Well unless the CA's pay off Mozilla/Microsoft/Apple not to implement it.