CA issues no-questions asked Mozilla cert

Back to the article

Strike them out... #

Posted Monday 29th December 2008 13:32 GMT

"The certificates were obtained by a competing Certificate Authority (“CA”) attempting to demonstrate a perceived vulnerability in one of our Registration Agent’s (“RA”) systems and procedures."

Well, that's not what happened now, is it?

And, to be fair, it looks like the found one.

Myself, I've removed Comodo from the list of certificates I trust in firefox (well, removed the ability of the Comodo root certificates to certify anything, actual removal is difficult). As I hear about more CAs failing their reesponsibilities I'll remove them too. Secure comms with my bank and credit card are more important to me than the ability to converse securely with any old user of a no-name CA that has security problems.

Actually, it would be better if the bank provided their own CA certificate in an offline manner, and if browsers could provide some sort of locked down mode where I only trust a single CA. Then I would be able to talk to my bank safely.

Have you looked at the list of "trusted" authorities in a modern browser? I don't know who they are and I certainly don't trust them all.

Destroy All Monsters

Revoke! #

Posted Monday 29th December 2008 15:11 GMT

"As soon as Comodo discovered the error with the certificate, the certificate was revoked"

Does Certificate Revocation actually work automatically? I have the impression that Certificate Revocation Lists must be downloaded and installed manually. (In Firefox, go to: Edits->Preferences->Advanced->Encryption->Revocation Lists->Import. Yes, basically in the basement.) To be sure, you can tell Firefox to get the latest CRLs automagically, by pointing your browser to these at least once:

http://crl.comodo.net/Class3SecurityServices_3.crl

http://crl.comodoca.com/Class3SecurityServices 3.crl

http://crl.comodoca.com/Class3SecurityServices.crl

http://crl.comodo.net/Class3SecurityServices.crl

...but who does that.

Thus, once the rogue certificate is out there, it's out there.

wayne tavitt

certificate schmertificate #

Posted Tuesday 30th December 2008 12:45 GMT

"That low-assurance certs might be issued without any checks whatsoever does however come as something of an eye opener" Really? I thought you just went and bought them.

This (http://www.law.miami.edu/%7Efroomkin/articles/digsig1.pdf) is worth a read, it's from last century but, suffering as I do from the national disease of cynicism, I reckon it is still a valid critique.

IIRC Ross Anderson found a positive correlation between possession of a cert and being a scammer, but CBA to look it up.

So far as browsers go, I went to Advanced | Encryption | blah blah and zapped all the certificates I could find. Why should I trust any of them? But then I'm a luddite with javascript turned off (in case noscript is buggy).

Forums

Forums home

Sign up, sign up for The Register's weekly IT security newsletter - click here