Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phony Web Certs Issued For Google, Yahoo, Skype

Posted by samzenpus on from the bad-apples dept.

Gunkerty Jeb writes "A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc."

8 of 151 comments (clear)

  1. Firefox/IE patches released,Comodo incident report by Anonymous Coward · · Score: 5, Informative

    Comodo’s advisory:

    http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

    Firefox released 3.6.16 yesterday:

    http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/

    Microsoft released an advisory and patch yesterday:

    Advisory: http://www.microsoft.com/technet/security/advisory/2524375.mspx

    Patch: http://support.microsoft.com/kb/2524375

  2. CRLs? by hawguy · · Score: 4, Insightful

    The article says that browser makers rushed to put out patches to blacklist the fraudulent certs. Isn't this what certificate revocation lists are for? Are CRLs completely broken and unused?

    1. Re:CRLs? by Anonymous Coward · · Score: 5, Informative

      Are CRLs completely broken and unused?

      Yes, they are.

  3. Re:Patches? by julesh · · Score: 4, Informative

    What, they don't support revocation lists already?

    Firefox, to take an example, supports offline revocation lists (i.e. imported from files) or Online Certificate Status Protocol for automatically verifying certificates. Both of these are optional, although OCSP is enabled by default for certificates that specify an OCSP server in their details. Comodo do use OCSP, so this should be dealt with automatically for most firefox users. However, some may have disabled OCSP, and for these a CRL must be installed to revoke the certificates. The easiest way to persuade people to do this is by pushing a patch that contains it.

  4. no big deal by Anonymous Coward · · Score: 4, Interesting

    Your browser already trusts a certificate authority run by the Chinese government, along with one that delegated authority to them.

    Your browser also trusts certificate authorities in Africa, *stan countries, and the non-EU portion of Eastern Europe. How many of these could be bribed or coerced if you knew the right people or worked for a random 3rd-world government?

    Really, the lock/key icon and colored URL box are totally misleading. You have almost no security. Given the rotten certificate authority situation, failing to accept self-signed and expired certificates is actually a loss for security. You might as well get encryption against a passive attacker. Pretending to be secure against active attackers is just providing a false sense of security.

  5. Things You Can Do On Your Own by Jah-Wren+Ryel · · Score: 4, Informative

    Neither of these are perfect, but here are two different firefox add-ons that can significantly reduce the chance of you falling victim to a compromised certificate authority:

    Network Notary - sort of crowd-sourcing approach
    Certificate Patrol - remembers the certs of sites you've visited in the past and tells you when they change

    --
    When information is power, privacy is freedom.
  6. And the CAs do ... what again? by DriedClexler · · Score: 4, Insightful

    If I'm paying the CA to certify that public key X really is mine, and yet someone who's not me can get the same certification from the CA for being me ... what was I paying for again?

    RSA =/= rubber stamp authority

    --
    Information theory is life. The rest is just the KL divergence.
  7. Re:Why doesn't every website use HTTPS? by heypete · · Score: 4, Interesting

    That's exactly what SSL is for. What you're thinking of is the key distribution. If you don't know who's signing the keys, then SSL cannot help you.

    Fair enough.

    My point was that CAs rarely mistakenly sign keys for fraudulent entities. Has it happened? Absolutely. Is it common? No. With EV certs becoming more popular for big-name sites (e.g. banks and the like), users can have a reasonable confidence in that the site they're visiting is legitimate. Non-EV certs provide a more modest assurance. Non-SSL sites offer essentially no assurance, which is the current situation for most sites.

    In short, using even an occasionally-flawed system like the current SSL infrastructure is far better than not using anything at all, which is what's currently going on.

    (Ever looked at how many "trusted" CA's your browser includes by default? Are you familiar enough with even 10% of them to trust them for this role?)

    Yes, I've looked at the list. Rather than prune it of CAs that I may consider to be bad (they do, after all, have to undergo audits and the like to be added to the major browser lists), I make it a habit to always hover over the Firefox SSL indicator (which then displays the name of the CA) when I visit an SSL-secured site, and make sure it's a reasonable CA (e.g. one in North America or Western Europe for essentially all the sites I visit) for the site. I also have the Certificate Patrol plugin to detect spoofing.

    Of course, the average user doesn't do anywhere near this much checking (which admittedly isn't much). However, I stand by my above point that even with its flaws, using SSL on everything (or at least more things) is far better than keeping things they way they are now.