I should have included the dates. Validity period is November 2010 to 2015. Anyone at Comodo care to comment?
If the cert was issued directly from a 2048-bit root and the issuance date is after the effective date of the BRs, then the cert violates the BRs and there
should be an explanation. Although notBefore != issuance date, if the notBefore date is earlier than Feb 2013 and the root is 2048, then then there is a strong indication that the cert
was improperly issued. You could also reach out to Comodo directly to alert them to the possibly mis-issued certificate. Jeremy
From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org]
On Behalf Of [email protected] In your rush to judgment you arrived at the wrong conclusions, Ryan. No problem, though, as I'll recap my points in a bit. But first: The cert in question has as its root the utn-userfirst-hardware certificate. That appears to be a 2048-bit cert. If the wildcard cert should not have
been issued directly under the 2048-bit root should we ask the folks at UTN (Comodo?) to explain what happened here? Are there any controls which are missing? Just curious how other people feel about this. The broader purpose behind my previous email was to raise awareness within the forum for how certain risks and vulnerabilities get combined to attack
the Internet populace. I don't think it hurts to share different perspectives. The salient points I hoped to get across: * The inability to revoke endpoint certs is a major hole in Internet security. In the case of wildcard certs the hole is that much larger because of
the damage that can be done when they get compromised. Also, having the same cert installed on multiple servers increases the risk. * When an admin account is compromised a lot of things can go south, especially if the account has access to DNS, server configs, private keys. If the
account credentials can be used in some way to issue new certs, that can be a concern. * The scenario described is functionally similar to the NSA program QUANTUMINSERT. If you don't have the funding nor equipment of a nation state to
back you up you might try this. For those who are interested I would encourage you to read up on network injection as this style of attack goes well beyond simple MITM. For starters
here's a good article, though Wired and The Intercept (and others) have good stuff too. https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/ I hope this perspective is helpful to people. I would like to know how anyone feels about the cert issue, too.
| |||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
