Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks. MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation …
Strike them out...
"The certificates were obtained by a competing Certificate Authority (“CA”) attempting to demonstrate a perceived vulnerability in one of our Registration Agent’s (“RA”) systems and procedures."
Well, that's not what happened now, is it?
And, to be fair, it looks like the found one.
Myself, I've removed Comodo from the list of certificates I trust in firefox (well, removed the ability of the Comodo root certificates to certify anything, actual removal is difficult). As I hear about more CAs failing their reesponsibilities I'll remove them too. Secure comms with my bank and credit card are more important to me than the ability to converse securely with any old user of a no-name CA that has security problems.
Actually, it would be better if the bank provided their own CA certificate in an offline manner, and if browsers could provide some sort of locked down mode where I only trust a single CA. Then I would be able to talk to my bank safely.
Have you looked at the list of "trusted" authorities in a modern browser? I don't know who they are and I certainly don't trust them all.
"As soon as Comodo discovered the error with the certificate, the certificate was revoked"
Does Certificate Revocation actually work automatically? I have the impression that Certificate Revocation Lists must be downloaded and installed manually. (In Firefox, go to: Edits->Preferences->Advanced->Encryption->Revocation Lists->Import. Yes, basically in the basement.) To be sure, you can tell Firefox to get the latest CRLs automagically, by pointing your browser to these at least once:
...but who does that.
Thus, once the rogue certificate is out there, it's out there.
"That low-assurance certs might be issued without any checks whatsoever does however come as something of an eye opener" Really? I thought you just went and bought them.
This (http://www.law.miami.edu/%7Efroomkin/articles/digsig1.pdf) is worth a read, it's from last century but, suffering as I do from the national disease of cynicism, I reckon it is still a valid critique.
IIRC Ross Anderson found a positive correlation between possession of a cert and being a scammer, but CBA to look it up.
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Review Vulture trails claw across Lenovo's touchy N20p Chromebook
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL
- Analysis The future health of the internet comes down to ONE simple question…