March 24, 2011 at 04:21Fake certificates for popular sites
First a little yellow:
The Comodo Internet Security Certification
Authority (their root certificate has been declared trustworthy by most browser manufacturers) signed the following certificates for unknown scammers: * mail.google.com, www.google.com
* login.yahoo.com (3pcs)
* login .skype.com
* addons.mozilla.org
* login.live.com
If a fraudster presents this certificate, it will be accepted as correct by browsers. In other words, there will not be the slightest method to determine that a site is fake.
Now in more detail. These certificates were issued, after which the undercover bucha started, browser manufacturers (at least chrome and firefox) entered them into the black list (compiled into the code). For firefox, this happened on March 17, 2011, all versions released up to this point will trust these certificates (I wanted to write “vulnerable”, but the problem is that this is not a vulnerability, this is a distribution of Comodo, which why something everyone is forced to trust). In theory, a check should be made to see if the certificate is included in the revocation list (it was included there), however, in practice, if access to this list is limited, then browsers do not give clear warnings and trust the certificate.
Links:
1) Press release comodo: www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
2) Secity Advisory from MS: www.microsoft.com/technet/security/advisory/2524375.mspx
3) A detective story about how they discovered a “strange” patch in firefox before the official publication of the results of the Comodo carelessness: blog.torproject .org / blog / detecting-certificate-authority-compromises-and-web-browser-collusion
4) About the political component of what happened: avva.livejournal.com/2321707.html
The Comodo Internet Security Certification
Authority (their root certificate has been declared trustworthy by most browser manufacturers) signed the following certificates for unknown scammers: * mail.google.com, www.google.com
* login.yahoo.com (3pcs)
* login .skype.com
* addons.mozilla.org
* login.live.com
If a fraudster presents this certificate, it will be accepted as correct by browsers. In other words, there will not be the slightest method to determine that a site is fake.
Now in more detail. These certificates were issued, after which the undercover bucha started, browser manufacturers (at least chrome and firefox) entered them into the black list (compiled into the code). For firefox, this happened on March 17, 2011, all versions released up to this point will trust these certificates (I wanted to write “vulnerable”, but the problem is that this is not a vulnerability, this is a distribution of Comodo, which why something everyone is forced to trust). In theory, a check should be made to see if the certificate is included in the revocation list (it was included there), however, in practice, if access to this list is limited, then browsers do not give clear warnings and trust the certificate.
Links:
1) Press release comodo: www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
2) Secity Advisory from MS: www.microsoft.com/technet/security/advisory/2524375.mspx
3) A detective story about how they discovered a “strange” patch in firefox before the official publication of the results of the Comodo carelessness: blog.torproject .org / blog / detecting-certificate-authority-compromises-and-web-browser-collusion
4) About the political component of what happened: avva.livejournal.com/2321707.html