Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comodo Says Two More RAs Compromised

Posted by CmdrTaco on from the no-time-for-compromise dept.

Trailrunner7 writes "Officials at Comodo have acknowledged that an additional two registration authorities affiliated with the company have been compromised in the wake of the high-profile attack on the company that was disclosed last week. Addressing a list of concerns about Comodo's practices raised by customers and browser vendors in the wake of the attack, Alden said that the company is now in the process of rolling out a new two-factor authentication system for its RAs. Comodo also is installing other security measures as a result of the attack."

23 of 144 comments (clear)

  1. Simple solution. by Timmmm · · Score: 5, Interesting

    Store the certificates in DNS, and access them with DNSSEC.

    http://blog.fupps.com/2011/02/16/ssl-certificate-validation-and-dnssec/

    1. Re:Simple solution. by Fastolfe · · Score: 2

      Spoofing a domain is effectively impossible, but hijacking it is not. If you can convince the registrar that you are the owner of the domain, you can change the DNS servers *and* the domain's DS records.

    2. Re:Simple solution. by Fastolfe · · Score: 2

      Except you can't meaningfully have real-world identity validation without trusted third parties. The guy owning ebay-payments-this-is-real.com can generate a cert for his web server that says "eBay", but you can't trust such an assertion if the only trust you have is the DNS hierarchy.

  2. Its not their fault... by Haedrian · · Score: 3, Funny

    I mean, few systems can avoid being compromised by a person with "experience of 1,000 hackers"

    http://it.slashdot.org/story/11/03/28/2159202/Lone-Iranian-Claims-Credit-For-Comodo-Hack

    1. Re:Its not their fault... by fuzzyfuzzyfungus · · Score: 2

      The world is truly lucky that the man with the experience of 1,000 hackers has not yet discovered steroids...

  3. Fuck... by fuzzyfuzzyfungus · · Score: 4, Insightful

    So is "rolling out a new two factor authentication system" code for "our last two-factor authentication system consisted of 'something you know', your username, and 'something you know, your password; because, despite the fact that we are a fucking CA we just can't be bothered"?

    Other than inertia, is there any reason to give these guys a second chance, rather than just drop them from the default trusted CAs list and let the company sell itself for scrap? Generating SSL certs is technologically trivial, anybody can do it at home with commonly available free software. Essentially, the only purpose of a CA is to be competent and trustworthy about who they generate certs for. CAs aren't really software or technology companies, they are much closer to the position of escrow services or trust companies. Generating certs is just the minor 'paperwork'. Generating only the right certs for only the right people is the job. If they can't do that, they are worse than useless.

    1. Re:Fuck... by ArsenneLupin · · Score: 2

      Other than inertia, is there any reason to give these guys a second chance

      You mean, a third chance?

      Yes, they are too big to fail. Hey, it worked for the banks...

      Maybe CaCert only needs to get 120.000 subscribers on board, and they shouldn't have to bother with that pesky audit either?

    2. Re:Fuck... by Lord+Ender · · Score: 2

      This isn't just a CA problem. Failure to use proper authentication is everywhere. Here's the rule of thumb you need to know regarding authentication:

      If the system or data is at all important, it should be virtually impossible to access it without real two-factor authentication. A CA is important. Financial systems are important. The Administrative interfaces to your company's core systems are important.

      Comodo should have required this of its customers, but more importantly, YOUR company should be requiring it of itself. Is it?

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    3. Re:Fuck... by tlhIngan · · Score: 2

      If the system or data is at all important, it should be virtually impossible to access it without real two-factor authentication. A CA is important. Financial systems are important. The Administrative interfaces to your company's core systems are important.

      Ah, but two-factor is also expensive.

      That's why banks and other financial institutions have rolled out two factor abortions that are really just more passwords.

      Wish it was Two-Factor shows how pretty much most North American banks have things set up. It's just another password, really, and both are "something you know". (And not "something you have" or "something you are")

  4. Two-Factor by Spad · · Score: 2

    Let's just hope they're not rolling out RSA Tokens :)

    1. Re:Two-Factor by Archangel+Michael · · Score: 2

      I can't wait till they roll out JRR Tolkien

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Removed by Lincolnshire+Poacher · · Score: 3, Insightful

    I have now removed Comodo as a trusted CA on my systems, and have advised colleagues of the three known occasions on which they have failed to act as a responsible CA. The game is up.

    The Mozilla inclusion policy for maintaining CAs in the default list states that:

    We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users' security...

    I hope that Mozilla now review the inclusion of Comodo's cert.

    1. Re:Removed by Spad · · Score: 2

      Well in Firefox/Seamonkey go into the security settings, Manage Certificates, Trusted Authorities and delete everything under Comodo. For IE you need to open the Windows certificate management via MMC and then do the same thing.

    2. Re:Removed by gnasher719 · · Score: 2

      How about telling us mortals how to do that?

      Mortal Mac users: Open Keychain Access, click on "System Roots", type "Comodo" in the search box, Click to unlock the "System Roots" keychain, then delete the "Comodo Certificate Authority" certificate. You'll probably have to enter your login password at some point.

    3. Re:Removed by IgnoramusMaximus · · Score: 3, Informative

      You can't do that. Only user installed certs can be deleted. You have to use "Get Info" on the Comodo cert, expand the "Trust" section and set the drop-down to "Do not trust". The icon for the cert will get a red "x" indicating its untrusted.

    4. Re:Removed by Anonymous Coward · · Score: 2, Funny

      Mortal Kombat users: Left, left, up, right, open keychain access, right, right, right, down, Comodo, up, down, left, right and "Finish him"...

    5. Re:Removed by Anonymous Coward · · Score: 4, Informative

      delete everything under Comodo

      And the next time Firefox is updated (which happens frequently) the Comodo certificates will be back.

      For each Comodo certificate you need to click on Edit and clear all the check boxes so the certificate won't be used for anything. This change survives updates. As I pointed out in a comment the other day (for which I received many flames) this user interface is completely inadequate for managing the hundreds of certificates that ship with Firefox.

    6. Re:Removed by asdf7890 · · Score: 2

      Ah, the "you didn't ask the right question so you're too stupid for me to bother with you" approach.

      No. The "you haven't provided information that anyone with half a brain might know could be useful" answer. It is like when our users raise reports along the lines of "I opened a form and got an error" to which we have to reply back with "which form?" (lest we have to test every single form for every record in the DB to see which one(s) report an error) and "what was the error?" (to which the response is almost always "I don't know" or "I didn't read it" which is bloody annoying especially in places where the app explicitly says "please report the code XYZ1234 when reporting this error as it will help us find information in the code and logs that might help us find the solution faster"). Another good one is "some of the counts in report B don't look right" when report B contains many figures rolled up over a large data-set. It is just lazy not to type one example when you know at least one.

      Or... You could realize in a tech blog that just about every system is represented by the readership and a generic question and multi-part answer is appropriate. Or would you rather see it clogged with "how about Windows 2000", "how about Windows 2003", "how about Windows 2008", "how about Unbuntu", "how about Linux", "how about Unix", "how about Solaris"... questions.

      What if the responder doesn't know how to do what you are asking in *every* browser on *every* operating system available? What if that one person doesn't have time to type out seven sets of instructions on the off-chance one of them might be the set that you were looking for?

      If you are asking for help, give relevant details without asking. It helps us help you and reduces the chance that we'll just ignore you because the question is too generic and we don't have time to respond with a full article on the subject.

      Sorry to come over so snarky, but I've spent too much time lately dealing with bad issue reports (some of them from people who claim to be developers so should damn well know better), I had some crap to vent, and you raised your "viable target" flag!

      It isn't just people though, a lot of code does the same crap-condition-reporting thing. MS SQL reports "string or binary data would be truncated" when you have given it X thousand rows with YZ string columns. It *knows* at least one of the errant values, the first one it hit, so why doesn't it *report* the value as that might give massive clue as to what we have done wrong.

  6. Comodo is quite lax on paperwork requirements by Bloodwine77 · · Score: 2

    I used to get my SSL certs through Verisign or Thawte, who were quite expensive and required a truckload of paperwork to prove your identity to them when being issued a SSL certificate. This was years ago, so they may be more lax these days for all I know. I jumped to Comodo several years back because they were cheaper and had a lot less paperwork hassle. Generally I could get SSL certs more quickly through them than I could through Verisign or Thawte. I then managed enough SSL certs to get in to OpenSRS and I could issue SSL certs immediately with no paperwork whatsoever. I believe the small print in OpenSRS shifts the burden to you, not Comodo, to prove the identity of the organization requesting the SSL certificate. All my clients were local businesses and were easy enough for me to verify. Long story short, is that there are numerous ways around the identity verification schemes when obtaining SSL certificates. Perhaps with these recent SSL incidents the registration authorities and SSL issuers will start going back to the old days of putting people through the meatgrinder when trying to obtain SSL certificates. It may be inconvenient, but I think we've gotten to the point where the scales are tipped way too far in convenience's factor to the detriment of security and verification.

  7. Re:Do you still have Comodo CA on your browser? by DriedClexler · · Score: 2

    Didn't quite follow your third sentence there, but yeah, I'm de-listing Comodo and all Comodo-authorized CAs from my trusted list. We may not have perfect certificate revocation solutions, but that'll have to do for now.

    --
    Information theory is life. The rest is just the KL divergence.
  8. Meaningless by ugen · · Score: 3, Insightful

    The system of "certificate authority" on which SSL security ostensibly relies, has deteriorate to an essentially meaningless state.

    This system is based primarily on trust. Trust requires at least a basic level of knowledge or understanding (this is a crucial difference between "trust" and "faith" :) ).

    If you have not taken a look at your browser's "trusted certificate authority list" - now may be the time. I am a Firefox user, and I know that the list in Firefox contains numerous organizations with trustworthy names like "QuoVadis Limited", "TÜRKTRUST Elektronik Sertifika Hizmet Salaycs" and "XRamp Global Certification Authority". Do you know any of these companies? Do you personally have any reason to trust in their judgment, honesty or integrity?

    For each company Firefox web site holds a document by some accounting firm (like the KPMG which has proven itself untrustworthy and unreliable even in matters of finance where they presumably have a clue) that purports to audit intentions and pracitces of said company wrt. issuance of said certificates. To put it simply that's worth as much as their audit of Lehman Brothers.

    Bottom line - your browser essentially allows a random selection of highest bidders or politically connected entities to define what web sites are, in turn, to be trusted. It's pointless and there is little reason to believe that anything that say, sign or claim has any value whatsoever beyond the level of background noise.

    Treat SSL the way you treat SSH - save specific certificates for sites, and watch for unexpected changes. Regardless of what the certificate or the "green location bar" say, don't trust them further than you can throw them.

  9. Re:Do you still have Comodo CA on your browser? by fast+turtle · · Score: 2

    Hell I'm removing all CA's from the browser as I don't trust any of them. Yes it creates a bit of an issue with some websites but all I have to do is add an exception for that site instead of blindly trusting the damn certificate.

    What annoys me no end in Firefox is the fact that there is no simple way to disable all certs below a CA w/o having to disable each and everyone of them. This makes no sense. If I don't trust the Root CA then why in hell should I trust any of their subsidary CA's to be any better and why can't I uncheck a box for a Root CA and untrust the entire chain?

    --
    Mod me up/Mod me down: I wont frown as I've no crown
  10. Re:New Breaches? by rtfa-troll · · Score: 2

    There is nothing wrong with the fact that many people can sign certificates. What is wrong is that there's no easy way to mark that up and control it and there are no ways to have multiple independent signing bodies. E.g. for financial transactions I would only want to trust a bank signed by an extended verification certificate from at least two registries + the government regulatory body of the country where the bank is registered. When I'm browsing slashdot I would probably be happy just to have a self signed certificate and get warned if it changed. What is needed is essentially a web of trust like PGP with a pre-loaded set of trusted bodies which varies according to the configuration of the user. There is no reason for a Chinese user to trust an American bank or the other way round.

    With sufficiently clever defaults this could add quite a bit of security without any interaction or thinking from the user. They probably have to learn more about the colours of the address bar or something however.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();