Fake certificates for popular sites

    First a little yellow:

    The Comodo Internet Security Certification

    Authority (their root certificate has been declared trustworthy by most browser manufacturers) signed the following certificates for unknown scammers: * mail.google.com, www.google.com
    * login.yahoo.com (3pcs)
    * login .skype.com
    * addons.mozilla.org
    * login.live.com

    If a fraudster presents this certificate, it will be accepted as correct by browsers. In other words, there will not be the slightest method to determine that a site is fake.

    Now in more detail. These certificates were issued, after which the undercover bucha started, browser manufacturers (at least chrome and firefox) entered them into the black list (compiled into the code). For firefox, this happened on March 17, 2011, all versions released up to this point will trust these certificates (I wanted to write “vulnerable”, but the problem is that this is not a vulnerability, this is a distribution of Comodo, which why something everyone is forced to trust). In theory, a check should be made to see if the certificate is included in the revocation list (it was included there), however, in practice, if access to this list is limited, then browsers do not give clear warnings and trust the certificate.


    1) Press release comodo: www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
    2) Secity Advisory from MS: www.microsoft.com/technet/security/advisory/2524375.mspx
    3) A detective story about how they discovered a “strange” patch in firefox before the official publication of the results of the Comodo carelessness: blog.torproject .org / blog / detecting-certificate-authority-compromises-and-web-browser-collusion
    4) About the political component of what happened: avva.livejournal.com/2321707.html

    Also popular now: