The digital miscreant known as ComodoHacker has claimed responsibility for the high-profile DigiNotar digital certificate authority hack. Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack. The …
That "ComodoHacker" guy sucks. He did a simple SQLi to hack a comodo reseller and made it sound like he invented the wheel.
And he probably didn't hack DigiNotar - he just claims credit for it.
SSL cert problems first exposed by the Comodo hack?
I'd say it goes back a bit further than that. The invention of 'Extended Validation' certificates, perhaps. And it isn't like it is particularly hard to pass the Webtrust audit...
As soon as EV certs were introduced the whole idea of SSL guaranteeing identity went out the window.
It was basically an admission of "I know the spec said we are supposed to verify the identity of the cert requestor but that is too profit-wrecking and we balls'ed it all up...But with the new $$$ EV certificates we PROMISE to do a better job this time"
Which is why I still hate the EARTH IS ENDING warnings you get in Firefox for a self-signed cert. In terms of guaranteeing identity I put them on the same level as a non-EV cert from any of the CAs
As a precaution
Shouldn't all CAs be resetting their admin passwords?
Re: As a precaution
>>Shouldn't all CAs be resetting their admin passwords?
Why, did that stop the hacker last time?
SSL Security ...or not
This is not the first time something like this has happened, though this does seem to be a particularly high profile and destructive occurrence. Similar bogus certificates have been issued in the past, mostly through CA incompetence rather than hacking.
My point is, as has been pointed out many many many times before by lots of people, many of whom know far more about this stuff than most of us, the SSL keychain/certificate system is BROKEN. It was broken from day one, and it's not until some REALLY high profile case comes to light (like a major bank being hit or something) that the world at large is going to wake up to this fact. Fundamentally, the "chain of trust" that SSL relies on can not be trusted. Simple as that.
Pr0d@dm1n == Prodadmin
So, now we know who ComodoHacker is.
Please stop publishing the password I now use for everything.
That is all.
I thought you used " 1 2 3 4 5"...
Yep, that's my coat.
Its just the tip
What this ( and similar recent issues) seems to show is that the security of companies who are making money on "security" is not up to snuff.
DigiNotar's parent company did a very poor job of vetting the company they purchased and I would expect that to have a effect on their other products even if "Diginotar tech was not integrated" yet. They are responsible for the long delay between discovery and disclosure.
No CA's auditing their networks for vulns?
Hi Qualys, nice to meet you.
The real solution here is to drop all these CA whore companies and just use a single trusted government to issue certificates. I vote for the US - with all the top level certificates signed by the President himself.
Seriously? Is that meant to be sarcasm?
I think the "...signed by the President himself..." probably clarified that. ;)
Reality vs. paper
As is pointed out in "Its just the tip", it is the real life security that is the issue here, and the way that organisations deal with security, and in particular PKI. PKI mechanisms offer paper security, the *real* security depends on the reality of the implementation. PKI as a system might have flaws that make it fragile, this doesn't mean you can't get it right. Trouble is, few people bother. Why would they? When you run a PKI, all the talk is about your vetting procedures, your private key protection, bla bla bla. Security audits are done according to security audit standard X, Y and Z. All nice and well. All secure. Until you look at the intricate little details of the actual system and application security. That's where the cracks are. I know a fair number of people who are good at finding these cracks, securing them properly and design a system such that chances for exploitation of issues is very small to begin with. These are unfortunately not the same people that are called in when systems get designed, or when systems get audited. That is where the paper people come in. Don't get me wrong, security policies have their place. But ultimately it is the reality that runs the show, paper people tend to forget that. Much like a builders code works wonders to prevent shoddy buildings, but only if the builders actually adhere to it.....
Much talk about incentives in the CA world. I offer a much simpler answer. There's not that many people with brains wired for proper security, or proper PKI. Those people, unfortunately, often need to choose. PKI or real life security. Not that many that do both. Lack of understanding of different worlds does the rest....
A bit of a rambling post perhaps, but there's lots of truth in what I write. Trust me ;)
Not the securest of passwords perhaps. You shouldn't use 0 for o, @ for a, or 1 for i, but the combination of them with a non-obvious pair of words still looks pretty good against a brute-force attack to me. I'd be interested to hear a cryptographer's view. If that was really the password, I'd be looking for evidence of a social-engineering exploit.
See my earlier post.
XKCD knows all
The REAL solution
Take Iran off the Internet; problem solved. They can't hack what they can't get too.
Why not Israel, Britain, US, or other state-sponsered agency?
Iran - snoop on possible communicaitons between Iran citizens and anti-Iran groups.
Israel - snoop on possible communications between Iran agents and anti-Israel groups. (for example: Hamas).
US - snoop on possible communications between Iran agents and anti-US groups.
I am not saying that Iran is innocent, but, they are not the only ones that can benefit from reading emails/traffic between points in Iran and the rest of the internet.
Who knows.. maybe, its some 'blown egos' from that stuxnet malware.