As I've been tweeting about and discussing with NANOG posters (off
list), why is everyone so surprised by this? SSL via centralized trust
model has been broken for years. I've been monitoring CRL activity since
2008, when I was figuring out practical ways to utilize DNS cache
poisoning (control CRL access, MITM SSL, profit). Duh.
We rely on TOR for protection? They just now figured out how SSL worked
evidently.
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
They clearly aren't on a.... wait for it.... exp3rt l3vel.
On 3/23/2011 10:39 PM, David Kaiser wrote:
WOW. Comodo has actually issued certificates for the following domains,
"without sufficiently validating" identity.
live.com, google.com, yahoo.com, skype.com, mozilla.org
That means they are either run by idiots who let anyone register certs
for any domain... or they got seriously hacked - yep they got seriously
hacked...
Comodo statement:
http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Story:
http://www.pcworld.com/businesscenter/article/223147/google_skype_yahoo_targeted_by_rogue_comodo_ssl_certificates.html
So, all you Internet Explorer users have to download and apply some
Microsoft security patch to add these to some sort of "Untrusted
Certificates folder", whatever that is.
http://www.microsoft.com/technet/security/advisory/2524375.mspx
"Fraudulent Digital Certificates Could Allow Spoofing"
For the rest of you, on Mozilla browsers, I might check to make sure
you're checking Comodo's CRL or that you are not somehow blocking IP
traffic to OCSP servers. I haven't done it yet but I might try to
verify that my workstations running my browsers can ping the Comodo OCSP
server... (anyone know what host or IP that is?)
I think the quickest/easiest way to know if your browser can't verify
certs against OCSP servers, you can check the checkbox "When an OCSP
server connection fails, treat the certificate as invalid" (bottom
checkbox in attached image)
- but you may also see a number of cert warnings you didn't see in the
past, especially for corporate VPN/intranet type sites.
And, yes, using one of these bogus certs would require faking out of
DNS, so when you're at your home/office connection you're slightly more
tough to target (assuming your ISP or corporate IT depts are sane) than
when you are on some open, public wi-fi where you can easily be spoofed
into taking bogus DNS responses. I recommend always having your
devices use opendns even when using public wi-fi anyway.
_______________________________________________
LinuxUsers mailing list
LinuxUsers@socallinux.org
http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
_______________________________________________
LinuxUsers mailing list
LinuxUsers@socallinux.org
http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
