back to article CA issues no-questions asked Mozilla cert

Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks. MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation …


This topic is closed for new posts.
Silver badge

Strike them out...

"The certificates were obtained by a competing Certificate Authority (“CA”) attempting to demonstrate a perceived vulnerability in one of our Registration Agent’s (“RA”) systems and procedures."

Well, that's not what happened now, is it?

And, to be fair, it looks like the found one.

Myself, I've removed Comodo from the list of certificates I trust in firefox (well, removed the ability of the Comodo root certificates to certify anything, actual removal is difficult). As I hear about more CAs failing their reesponsibilities I'll remove them too. Secure comms with my bank and credit card are more important to me than the ability to converse securely with any old user of a no-name CA that has security problems.

Actually, it would be better if the bank provided their own CA certificate in an offline manner, and if browsers could provide some sort of locked down mode where I only trust a single CA. Then I would be able to talk to my bank safely.

Have you looked at the list of "trusted" authorities in a modern browser? I don't know who they are and I certainly don't trust them all.

Silver badge


"As soon as Comodo discovered the error with the certificate, the certificate was revoked"

Does Certificate Revocation actually work automatically? I have the impression that Certificate Revocation Lists must be downloaded and installed manually. (In Firefox, go to: Edits->Preferences->Advanced->Encryption->Revocation Lists->Import. Yes, basically in the basement.) To be sure, you can tell Firefox to get the latest CRLs automagically, by pointing your browser to these at least once:


http://crl.comodoca.com/Class3SecurityServices 3.crl



...but who does that.

Thus, once the rogue certificate is out there, it's out there.

Anonymous Coward

certificate schmertificate

"That low-assurance certs might be issued without any checks whatsoever does however come as something of an eye opener" Really? I thought you just went and bought them.

This (http://www.law.miami.edu/%7Efroomkin/articles/digsig1.pdf) is worth a read, it's from last century but, suffering as I do from the national disease of cynicism, I reckon it is still a valid critique.

IIRC Ross Anderson found a positive correlation between possession of a cert and being a scammer, but CBA to look it up.

So far as browsers go, I went to Advanced | Encryption | blah blah and zapped all the certificates I could find. Why should I trust any of them? But then I'm a luddite with javascript turned off (in case noscript is buggy).

This topic is closed for new posts.