Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comodo Says Two More RAs Compromised

CmdrTaco posted more than 2 years ago | from the no-time-for-compromise dept.

Encryption 144

Trailrunner7 writes "Officials at Comodo have acknowledged that an additional two registration authorities affiliated with the company have been compromised in the wake of the high-profile attack on the company that was disclosed last week. Addressing a list of concerns about Comodo's practices raised by customers and browser vendors in the wake of the attack, Alden said that the company is now in the process of rolling out a new two-factor authentication system for its RAs. Comodo also is installing other security measures as a result of the attack."

cancel ×

144 comments

Sorry! There are no comments related to the filter you selected.

New Breaches? (0)

WrongSizeGlass (838941) | more than 2 years ago | (#35665958)

These two occurred after the discovered the first one. How does this stuff keep happening?

Re:New Breaches? (1)

petermgreen (876956) | more than 2 years ago | (#35666356)

The whole CA system is fundamentally broken, your browser trusts a huge list of CAs and further those CAs have the power to delegate their authority (either through signing a cert that delegates authority or by allowing those people to request certificates with little to know further checking). The result is a huge number of people who have the power to sign certificates that your browser will treat as evidence that a web site is who they say they are. Further the CAs don't really have much interest in security beyond doing the minimum nessacery to keep themselves in the browsers root certificate lists.

When you have a large number of people and/or entities with such a power there is a significanct chance that some of them will be corrupt, open to coersion, lax about security or some combination of those attributes.

Commodo claimed that there were no further mis-issued certificates as a result of this but I'd be very wary of such a claim.

Re:New Breaches? (2)

rtfa-troll (1340807) | more than 2 years ago | (#35668012)

There is nothing wrong with the fact that many people can sign certificates. What is wrong is that there's no easy way to mark that up and control it and there are no ways to have multiple independent signing bodies. E.g. for financial transactions I would only want to trust a bank signed by an extended verification certificate from at least two registries + the government regulatory body of the country where the bank is registered. When I'm browsing slashdot I would probably be happy just to have a self signed certificate and get warned if it changed. What is needed is essentially a web of trust like PGP with a pre-loaded set of trusted bodies which varies according to the configuration of the user. There is no reason for a Chinese user to trust an American bank or the other way round.

With sufficiently clever defaults this could add quite a bit of security without any interaction or thinking from the user. They probably have to learn more about the colours of the address bar or something however.

Simple solution. (5, Interesting)

Timmmm (636430) | more than 2 years ago | (#35665972)

Store the certificates in DNS, and access them with DNSSEC.

http://blog.fupps.com/2011/02/16/ssl-certificate-validation-and-dnssec/ [fupps.com]

Re:Simple solution. (1)

characterZer0 (138196) | more than 2 years ago | (#35666166)

Right. Because nobody has ever hijacked a domain.

Re:Simple solution. (1)

Co0Ps (1539395) | more than 2 years ago | (#35666270)

Um. You realize that "hijacking a domain" is virtually impossible with DNSSEC right?

Re:Simple solution. (2)

Fastolfe (1470) | more than 2 years ago | (#35667128)

Spoofing a domain is effectively impossible, but hijacking it is not. If you can convince the registrar that you are the owner of the domain, you can change the DNS servers *and* the domain's DS records.

Re:Simple solution. (1)

jhoegl (638955) | more than 2 years ago | (#35667252)

I believe that is what DNSSEC is supposed to solve.

Re:Simple solution. (1)

Co0Ps (1539395) | more than 2 years ago | (#35666254)

Very, very, very interesting... and brilliant. This solves four major problems:

  • Trusting CA's getting hacked
  • Trusting CA's in china
  • Having to pay for expensive certificates instead of signing them ourselves

With this solution you only have to trust your TLD authority and the root DNS certificate.

Lets hope this gets standardized and that DNSSEC get's rolled out for all TLD's as quick as possible.

Re:Simple solution. (1)

Anonymous Coward | more than 2 years ago | (#35666292)

I wish. Verisign and others make too much money for that to ever happen.

Re:Simple solution. (1)

Lennie (16154) | more than 2 years ago | (#35667288)

They are already doing DNSSEC-services. Would it matter to them what services they sell to people ?

Re:Simple solution. (2)

Fastolfe (1470) | more than 2 years ago | (#35667246)

Except you can't meaningfully have real-world identity validation without trusted third parties. The guy owning ebay-payments-this-is-real.com can generate a cert for his web server that says "eBay", but you can't trust such an assertion if the only trust you have is the DNS hierarchy.

Re:Simple solution. (1)

sjames (1099) | more than 2 years ago | (#35670192)

True enough for the most part. However, it can be an actually trusted 3rd party rather than one of dozens of companies I've never heard of in countries whose governments I don't trust.

If my friend buys something from someone and gives me rave reviews, if he also gives me their cert fingerprint with the link, I can KNOW for a fact that I am dealing with the same entity that my friend recommended. At that point, I don't know if his name is Joe Smith or Blusdfua Ykjfuiwqhfp for certain, but I don't care because I do know that he is most certainly "guy who my friend recommended".

This even applies to things like banking. All I need to know is that the cert matches the fingerprint printed on my bank statement and available at the local branch on the online banking brochure.

Cert fingerprints can also verify for me that this is the same site I visited last time, not a man in the middle who wasn't there before. That doesn't require a 3rd party.

Re:Simple solution. (1)

asdf7890 (1518587) | more than 2 years ago | (#35667308)

On the "having to pay" thing, there is at least one CA with a signing cert trusted by the majority of current browsers who use that signing cert to sign free server certificates.

See http://en.wikipedia.org/wiki/Startssl#StartSSL [wikipedia.org] for details. Unfortunately under XP the certificate updates are not sent out marked as important so many people won't have them installed on that OS (and perhaps Vista too?) but this only affects IE users. So if you feel safe letting some XP+IE users get certificate warning messages and having to explain the messages to them, there is a free option.

IIRC none of the other free cert groups (like cacert.org) have this level of trust on common browser configurations, though if startssl gain a good chunk of market share out of offering the free certs maybe other CAs will start signing low assurance certs for nothing too (rather than, as several currently do, just giving you one year free as part of some offer linked to a registrar) - which would be nice as that way even the backwards XP+IE users will trust certs you can get signed for free...

A SIMPLER solution for END USERS (HOSTS) (0)

Anonymous Coward | more than 2 years ago | (#35667576)

HOSTS file users can bypass using DNS altogether & let END USERS especially be:

---

1.) Safe(r)

2.) Faster

3.) More 'secure/anonymous' online

4.) SAVE MONEY/COIN$/DEAD-PRE$IDENT$

& more, FOR FREE! no less, & you already have one!

---

(ALL THAT, & far more (see url below) via hardcodes of your fav. sites in your HOSTS file, which makes you faster, offloads DNS servers (which even DNS admins of them MIGHT love even), & keeps you OFF their "DNS Request Logs" too (security/anonymity part)).

FOR an "end user" though? They make SURE, or can (via hardcodes of your fav. sites into HOSTS) you get to where you wanted to, legitimately, even IF DNS servers you use are compromised (say via DNS poisoning), & faster, or even if the DNS is down.

How? See above... & more detail, ESPECIALLY vs. DNS faults, are in the URL below, IN GREAT DETAIL with backing facts/documentation from reputable sources!

The added benefit is, that IF you also blockout adbanners you get more speed (and security too, because they've been hit TONS of times (see below) with maliciously scripted adbanners))

The DNS system acts as an online Certificate Authority - being compromised thus as this article notes? Makes DNS the WEAK point in the chain here partially...

HOSTS make you avoid DNS if you wish & "do it right" per what I noted above.

For the "FULL GAMUT" of what HOSTS can do for you, & how/when/where/why/how? Refer to the post of mine "everyone here hates":

http://tech.slashdot.org/comments.pl?sid=2038142&cid=35493238 [slashdot.org]

(lol, plenty of users do users here (10 or so I can rattle off & supply data for, in addition to mvps.org's 1,000's) & like them here though as well, + more & more over time the more they become aware of it)

Yes, & my posts DO help them on that note (especially if they are unaware of it)...

I post it for "the good" of the masses, NOT the profiteers that use "the art of good business is putting people together" (advertisers & webmasters, literally USING users this way)!

However, I truly suspect the ONLY people that REALLY "hate" HOSTS files are, imo & experience @ least:

---

1.) Malware makers

2.) Hacker/Crackers

3.) WebMasters

4.) Advertisers

---

WELL, to they, I can only say 1 thing: TOUGH COOKIES, & "The times they are a changin'"!

TO webmasters &/or advertisers:

Simply because more & more folks (and even the U.S. Military recently here http://yro.slashdot.org/comments.pl?sid=2039242&cid=35512150 [slashdot.org] are cutting out adbanners because they're a KNOWN bandwidth hog ( to gain back bandwidth taxpayers PAY for & for speed/performance purposes to aid the poor Japanese peoples) are "wising up" to the fact it's YOUR MONEY online & your SPEED that adbanners 'cut into'

To END USERS: (vs. malware makers/hackers-crackers)

It's your systems security, your data, your record even (being framed by a malware making YOU appear to be doing 'wrong' online etc.) + again, YOUR MONEY & BANDWIDTH YOU PAY FOR, after all!

A fool & his money are SOON parted, but online vs. adbanners...? SO IS YOUR BANDWIDTH & SECURITY nowadays, unless you do measures such as I note here now... & FAR MORE gains in the URL above (especially considering phones charge by bandwidth use, and so do many ISP/BSP's moving to it)... & so is your online time YOU PAY FOR OUT OF POCKET!

*Think about it!* & IF you're unaware of HOSTS file benefits for speed, security, & yes... even some "anonymity" vs. logs or DNSBL (DNS Block Lists)? HOSTS ARE "4U" & FREE (with many good sources for good ones, such as MVPS.ORG's -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] )

Enjoy!

APK

P.S.=> At the server level, your solution's acceptable & probably even practical... still, since I am NOT a "DNS server expert" admittedly (though I am not a "total noob" on them either, far from it)? I'd like YOUR take on it... as you seem to know your stuff on this account! I am subject to correction (though rarely, lol, ala Sheldon from "The Big Bang Theory") and can learn too, like anyone else... & I like learning & speaking to those that are "in the know/expert" if possible... apk

Re:A SIMPLER solution for END USERS (HOSTS) (1)

hairyfeet (841228) | more than 2 years ago | (#35667932)

Poster is known malware writer and troll [arstechnica.com] who is advocating slowing your machine to a crawl with a 15Mb HOSTS file which will ONLY stop static ad banners.

Much better solution is to simply blacklist the Comodo certs if you aren't on Windows, and if you are on Windows you should have already been given the cert blacklist update, checkable by going MMC...add snap in...certifications and looking under untrusted certificates. Funnily enough if one is using the Comodo browser Comodo Dragon this is also not a problem, as the extremely short TTL they use on certs had these certs dead just a couple of hours after the hack and before the attacker could use them.

FACTS, vs. your libellous fictions & MORE... a (-1)

Anonymous Coward | more than 2 years ago | (#35668740)

1st: CA/Computer Associates, IS the "source" of what ARS TECHNICA (home of the internet troll, especially JEREMY REIMER, see below on THAT account) are just like yourself - easily shot down!

(and PROVEN criminals in BOTH Ars & CA, see below... & that everyone in the Computer Sciences based world KNOWS about, to boot - as to BOTH CA and arstech)...

OR, does THIS link I showed here before, which was + 5 INFORMATIVE rated no less here on CA, first:

---

COMPUTER ASSOCIATES BUSTED FOR ACCOUNTING FRAUD:

http://news.slashdot.org/comments.pl?sid=1884922&cid=34350102 [slashdot.org]

---

NOT prove that much?

Sure does! AND ON REAL CRIME!

Fact is - You're only allowing me to expose my false accusers publicly once again for the slime they are... thank you!

It is truly, wasting your time, in that you're:

---

1.) Making yourself look stupid, having to NOW "eat your words"

2.) Vindicating me from your accusations/libel of myself

3.) I mean, what: Are YOU a webmaster OR advertiser (or even MALWARE MAKER) that's losing monies due to HOSTS?

  (JUST like arstechnica is, & dying due to it, & bushwhacking THEIR USERS with adbanners & traps like this they were CAUGHT RED-HANDED IN:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

NOT ENOUGH?

Here's more ON ARSTECHNICA CRIMINALITY PROOF:

(How arstechnica email harassed me unceasingly, stalked me, impersonated me, & FAR more (libel + death threasts even!)

That is, until ISPs & tracking tickets were brought in alongside the law (Det. Felton B.C. CA (Reimer's hometown) & FAR more - CrystalTech.com removing Jay Little Reimer's cohort in crime, & large tracts of REIMER's personal site (& like criminals? They went to diff. providers & did it, yet again)):

1.) IN FACT? Asked them if ANY of them ever did anything that was well-noted in publications (as I have many times) in the art & science of computing (an ENTIRE FORUMS of them, not a single one had - I thought it was funny, because they like to "play computer expert" like Jeremy Reimer especially, & yet, not a single one of them then even had a CSC degree, or even CIS degree... not even MCSE certs) - that, clearly, got to their "geek angst" & the truth that not a SINGLE ONE OF THEM was really any form of "computer guru", period.

2.) I made them look foolish @ Windows IT Pro, where Jay Little & Jeremy Reimer stalked me to (after I asked via email that Reimer remove a post on his forums that said it was I, when it was not (Reimer later had to PUBLICLY ADMIT it wasn't me, once his ISP got ahold of him alongside his website hosting provider)).

E.G.-> The fat fool, Jay Little, literally said he was, verbatim, an "expert on Exchange (MS)", & when I showed evidence from Microsoft on how memory optimization programs could un-halt stalled Exchange servers? Jay Little ran & started stalking me, site to site & making death threats from his own personal websites that I should be put to death, & more etc.

So, there you are, as to your "arstechnica link"...

Heck - they're bigger dorks & LITERALLY CRIMINAL, far moreso than the trolls around here, and everyone knows it!

Heh - they're often called "the underachievers of the internet" by others... small wonder that as they haven't achieved squat, to this day... For example, Jeremy Reimer is a "self-published" LULU luser, who lives off of his wife the stripper (talk about pitiful)...

----

Nope, facts ALWAYS "blow away" you trolls, with ease.

(Talk about "multitasking" for MY good! YOU'VE AGAIN HELPED ME "SHOOT DOWN" my naysayers, publicly... I am only defending myself, with facts too. Visible concrete verifiable ones no less!)

Also - CA & others like they have done the same to Dr. Mark Russinovich of Microsoft, and Nir Sofer of NIRSOFT as well - calling THEIR wares, malware too, & they're KNOWN in this field as decent... so, I suppose I am in TRULY, "good company" on this account no less!

---

"Poster is known malware writer and troll - by hairyfeet (841228) on Wednesday March 30, @12:31PM (#35667932)

Funny - the above SHOWS quite otherwise, & so does below... & on HOSTS?

WHY'D YOU RUN FROM THIS THEN HAIRYFEET:

http://slashdot.org/comments.pl?sid=1930156&cid=34734160 [slashdot.org]

Hmmm? Each point you made, blown away, easily... just like here, & you're trolling me because YOU KNOW you lost, badly.

(Because you're the TROLL I "blew away with ease" on eveyr point you tried to make is why... easily!)

---

"HOSTS file which will ONLY stop static ad banners." - by hairyfeet (841228) on Wednesday March 30, @12:31PM (#35667932)

Anything a HOSTS file can't stop? Software or router firewalls do (IP addys) & I use them for ADDED "layered security" & I advise others of the same... see my init. post, disprove the points I put out, like I have YOU & your 'Points' here, easily as per my usual vs. you (still stinging from it in the past eh, ITT Tech Boy (you are a product of shit education is why)).

APK

P.S.=> Lastly, IF I were a "malware maker/hacker-cracker"? I'd have to be the STUPIDEST one there is, because I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

AND, more currently, the MOST viewed & highly rated one there is for years now since 2008 online:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

Which has well over 300,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business)

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)

---

Across 15-20 or so sites I posted it on back in 2008... have YOU done better, troll?

No, obviously.

(So much for your attempts @ "discrediting me" with "std. troll disinformation protocol", because it falls apart in the light of FACTS... easily! Just "too, Too, TOO EASILY" in fact!)... apk

Re:FACTS, vs. your libellous fictions & MORE.. (1)

St.Creed (853824) | more than 2 years ago | (#35670160)

Errrr... did you forget your medication or something?

Are "ad hominem" attacks the "best you've got"? (0)

Anonymous Coward | more than 2 years ago | (#35670216)

"Errrr... did you forget your medication or something?" - by St.Creed (853824) on Wednesday March 30, @03:36PM (#35670160)

See subject-line above, & the posts I made before it please (as they utilize facts, vs. your trolling + ad hominem attacks)... Here:

http://it.slashdot.org/comments.pl?sid=2061048&cid=35667576 [slashdot.org]

and yes, here (vs. another troll I have destroyed before, & on this VERY topic no less & I list why I suspect he's doing it, but... well, I'll leave it @ that):

http://it.slashdot.org/comments.pl?sid=2061048&cid=35668740 [slashdot.org]

---

NOW - Additionally/Lastly?

Care to show us your PHD in Psychiatry, your license to practice it, plus your years-to-decades of professional experience in it, AS WELL AS A FORMAL EXAMINATION OF MYSELF IN A PROFESSIONAL ENVIRONS you have?

I'd wager you have "none of the above"... but, we'll see.

APK

P.S.=> /. 'trolls', lol... Man, just "too, Too, TOO EASY - just '2EZ'" to dispatch & show for their "true colors" (transparent, & obvious)... lol! apk

Do you still have Comodo CA on your browser? (1, Insightful)

nereid666 (533498) | more than 2 years ago | (#35665978)

I have deleted all the CA from Comodo. I think it must be the end of his certification authority bussines. I want more responsible of that: -Ernest Young give them the WebTrust certification. Or the auditor or the certification is useless...

Re:Do you still have Comodo CA on your browser? (2)

DriedClexler (814907) | more than 2 years ago | (#35666266)

Didn't quite follow your third sentence there, but yeah, I'm de-listing Comodo and all Comodo-authorized CAs from my trusted list. We may not have perfect certificate revocation solutions, but that'll have to do for now.

How do you do that in Firefox? (1)

ArsenneLupin (766289) | more than 2 years ago | (#35667186)

The UI let's me delete "Built-in tokens", but if I then leave and re-enter the list, there they are again!

Re:How do you do that in Firefox? (1)

DriedClexler (814907) | more than 2 years ago | (#35667954)

Oh, I don't actually know how to do it, I was just trying to sound elite.

Some of the other posters on this topic are giving more specific instructions, give them a try.

Re:How do you do that in Firefox? (0)

Anonymous Coward | more than 2 years ago | (#35668630)

If you "delete" them and they reappear (they're loaded from a binary, a DLL on windows), firefox unchecks everything under what the certificate is allowed to authenthicate (look under Edit Trust), so in essence it is distrusted and cannot validate anything anymore.

Re:Do you still have Comodo CA on your browser? (0)

Anonymous Coward | more than 2 years ago | (#35668452)

I think he meant that some responsibility should lay with Ernest and Young, the auditors that issued the WebTrust certificate.

Re:Do you still have Comodo CA on your browser? (2)

fast turtle (1118037) | more than 2 years ago | (#35667222)

Hell I'm removing all CA's from the browser as I don't trust any of them. Yes it creates a bit of an issue with some websites but all I have to do is add an exception for that site instead of blindly trusting the damn certificate.

What annoys me no end in Firefox is the fact that there is no simple way to disable all certs below a CA w/o having to disable each and everyone of them. This makes no sense. If I don't trust the Root CA then why in hell should I trust any of their subsidary CA's to be any better and why can't I uncheck a box for a Root CA and untrust the entire chain?

Re:Do you still have Comodo CA on your browser? (1)

Culture20 (968837) | more than 2 years ago | (#35667678)

Hell I'm removing all CA's from the browser as I don't trust any of them. Yes it creates a bit of an issue with some websites but all I have to do is add an exception for that site instead of blindly trusting the damn certificate.

LOL. How do you verify them? Look up their phone numbers in the physical yellow pages, convince the phone monkeys that you need to talk to their CIO to have him read the cert to you letter by letter? ...for every https page every X years?

Comodo Says CmdrTaco Has Tiny Penis (-1, Troll)

Anonymous Coward | more than 2 years ago | (#35665988)

Comodo also wants to point out that CmdrTaco's penis is about 2 mm at fully erect state.

Its not their fault... (3, Funny)

Haedrian (1676506) | more than 2 years ago | (#35665998)

I mean, few systems can avoid being compromised by a person with "experience of 1,000 hackers"

http://it.slashdot.org/story/11/03/28/2159202/Lone-Iranian-Claims-Credit-For-Comodo-Hack [slashdot.org]

Re:Its not their fault... (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#35666076)

The world is truly lucky that the man with the experience of 1,000 hackers has not yet discovered steroids...

Re:Its not their fault... (1)

GameboyRMH (1153867) | more than 2 years ago | (#35666340)

If you liked the "with the force of 1000 suns" meme, you'll love "with the experience of 1000 hackers!"*

*Be sure to stay behind 7 proxies when hacking, and exercise caution so you don't accidentally the whole thing.

Re:Its not their fault... (0)

Anonymous Coward | more than 2 years ago | (#35666598)

Still waiting for the person with the experience of over 9000 hackers.

Re:Its not their fault... (0)

Anonymous Coward | more than 2 years ago | (#35668528)

It's not the thousand coders or hackers that worry me.. it's the thousand Project Managers!

Can't resist urge to make stupid joke..... (-1)

Anonymous Coward | more than 2 years ago | (#35666006)

So it seems Comodo is more wide open than even the goatse man!

ducks

Fuck... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#35666056)

So is "rolling out a new two factor authentication system" code for "our last two-factor authentication system consisted of 'something you know', your username, and 'something you know, your password; because, despite the fact that we are a fucking CA we just can't be bothered"?

Other than inertia, is there any reason to give these guys a second chance, rather than just drop them from the default trusted CAs list and let the company sell itself for scrap? Generating SSL certs is technologically trivial, anybody can do it at home with commonly available free software. Essentially, the only purpose of a CA is to be competent and trustworthy about who they generate certs for. CAs aren't really software or technology companies, they are much closer to the position of escrow services or trust companies. Generating certs is just the minor 'paperwork'. Generating only the right certs for only the right people is the job. If they can't do that, they are worse than useless.

Re:Fuck... (0)

Anonymous Coward | more than 2 years ago | (#35666374)

So if we all remove them as a trusted CA what happens to all the poor folks who legitimately paid them for certificates? Do we just say, "sorry dude, you happened to buy from the wrong company; go get another cert from someone we still like!"?

Because punishing the legitimate certificate holders doesn't sound like the best path forward.

Re:Fuck... (1)

LordLimecat (1103839) | more than 2 years ago | (#35666436)

Honestly, that WOULD be the correct solution. Its not punishing them, but it does make them responsible for their choices, and thats pretty important to keep people from getting complacent or thinking they dont have to care who they choose.

Re:Fuck... (1)

Kookus (653170) | more than 2 years ago | (#35666512)

I work at an institution that widely uses Comodo certificates, and I still believe that the right solution is to un-trust them. Let the lawyers handle the recuperation costs with Comodo.

Re:Fuck... (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#35666542)

Probably about the same thing that happens to the families/friends/etc of people who get fired for serious workplace negligence, or who get sent to jail for some crime or other; only getting a new cert is easier and cheaper than replacing a person.

It is, unfortunately, true that nuking them as a trusted CA will have some negative effects on innocent parties. However, there is essentially no form of punishment/consequences, whether leveled against a corporation or a person, that does not affect some innocent bystanders. Somehow, given that the alternative would be the abandonment of consequences, we manage to accept that.

Re:Fuck... (0)

Anonymous Coward | more than 2 years ago | (#35666578)

So if we all remove them as a trusted CA what happens to all the poor folks who legitimately paid them for certificates? Do we just say, "sorry dude, you happened to buy from the wrong company; go get another cert from someone we still like!"?

Yes.

Re:Fuck... (0)

Anonymous Coward | more than 2 years ago | (#35666814)

> Because punishing the legitimate certificate holders doesn't sound like the best path forward.

The problem is that we no longer know which of them is legitimate.

Re:Fuck... (1)

shentino (1139071) | more than 2 years ago | (#35666916)

Simple. Sue comodo for breach of warranty or something.

Re:Fuck... (2)

ArsenneLupin (766289) | more than 2 years ago | (#35666934)

Other than inertia, is there any reason to give these guys a second chance

You mean, a third chance [theregister.co.uk] ?

Yes, they are too big to fail [eff.org] . Hey, it worked for the banks...

Maybe CaCert [cacert.org] only needs to get 120.000 subscribers on board, and they shouldn't have to bother with that pesky audit either?

Re:Fuck... (1)

trifish (826353) | more than 2 years ago | (#35666982)

is there any reason to give these guys a second chance

Actually, a third chance. They had a similar problem a couple of years ago [slashdot.org] .

(That's why I've had their certs blacklisted since then. Once a CA loses trust, it can't be restored. And it shouldn't.)

Re:Fuck... (1)

TheLink (130905) | more than 2 years ago | (#35667432)

Once a CA loses trust, it can't be restored. And it shouldn't

How about Verisign?

http://www.microsoft.com/technet/security/bulletin/ms01-017.mspx [microsoft.com]

Verisign owns Thawte, Geotrust (which owns RapidSSL).

Re:Fuck... (0)

Anonymous Coward | more than 2 years ago | (#35668366)

I just see one Verisign incident. Not three in two years, like in Comodo's case. (And they have been here for much longer and have issued many times more certs than Comodo and their affiliates). Are you a Comodo shill by any chance?

Re:Fuck... (1)

gman003 (1693318) | more than 2 years ago | (#35667276)

Maybe they're in a district where "can't be arsed" is a federally-recognized handicap?

Re:Fuck... (2)

Lord Ender (156273) | more than 2 years ago | (#35667414)

This isn't just a CA problem. Failure to use proper authentication is everywhere. Here's the rule of thumb you need to know regarding authentication:

If the system or data is at all important, it should be virtually impossible to access it without real two-factor authentication. A CA is important. Financial systems are important. The Administrative interfaces to your company's core systems are important.

Comodo should have required this of its customers, but more importantly, YOUR company should be requiring it of itself. Is it?

Re:Fuck... (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#35667512)

Yup. Users hate it; but that just gives my pitying stare some extra practice.

Re:Fuck... (2)

tlhIngan (30335) | more than 2 years ago | (#35667762)

If the system or data is at all important, it should be virtually impossible to access it without real two-factor authentication. A CA is important. Financial systems are important. The Administrative interfaces to your company's core systems are important.

Ah, but two-factor is also expensive.

That's why banks and other financial institutions have rolled out two factor abortions that are really just more passwords.

Wish it was Two-Factor [thedailywtf.com] shows how pretty much most North American banks have things set up. It's just another password, really, and both are "something you know". (And not "something you have" or "something you are")

Re:Fuck... (1)

Conare (442798) | more than 2 years ago | (#35670066)

There are some pretty inexpensive ways to do this (grid cards) so like the article you linked, I don't buy cost as an excuse. Of course I did take a photo of my buddy's grid card once as a joke, but at least it isn't personal data I could harvest from his facebook page which most of those bank questions are. If people are willing to carry a "bonus" card for every flipping retail establishment in existence, they should be willing to carry a card to keep their money secure. And I can't believe that the added cost of the security wouldn't pay for itself in the long run.

New version of my browser? (0)

Anonymous Coward | more than 2 years ago | (#35666128)

So, every few days when another cert is compromised there will be another version of my browser to update? Why do we need a new version of the browser, I thought revocation lists were maintained on a central server that browsers phone home to.

Re:New version of my browser? (1)

Lord_Byron (13168) | more than 2 years ago | (#35669082)

Unfortunately, OCSP has been defeated with the character 3. [thoughtcrime.org]

Two-Factor (2)

Spad (470073) | more than 2 years ago | (#35666142)

Let's just hope they're not rolling out RSA Tokens [schneier.com] :)

Re:Two-Factor (2)

Archangel Michael (180766) | more than 2 years ago | (#35666922)

I can't wait till they roll out JRR Tolkien

Re:Two-Factor (1)

Abstrackt (609015) | more than 2 years ago | (#35668204)

I'd rather they didn't. Our server room smells bad enough with live bodies in there.

Re:Two-Factor (1)

Nameisyoung007 (1009935) | more than 2 years ago | (#35667466)

I wouldn't trust them to quickly roll out a RSA product. With the speed, they are going to leave some holes open, and with the back-end source code probably out in the wild, it may just make the problem worse. (The source code is only going to hurt shoddy implementations of the RSA Server. People do shoddy work under time pressure).

Removed (3, Insightful)

Lincolnshire Poacher (1205798) | more than 2 years ago | (#35666186)

I have now removed Comodo as a trusted CA on my systems, and have advised colleagues of the three known occasions on which they have failed to act as a responsible CA. The game is up.

The Mozilla inclusion policy [mozilla.org] for maintaining CAs in the default list states that:

We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users' security...

I hope that Mozilla now review the inclusion of Comodo's cert.

Re:Removed (1)

Haedrian (1676506) | more than 2 years ago | (#35666216)

How about telling us mortals how to do that?

Re:Removed (2)

Spad (470073) | more than 2 years ago | (#35666260)

Well in Firefox/Seamonkey go into the security settings, Manage Certificates, Trusted Authorities and delete everything under Comodo. For IE you need to open the Windows certificate management via MMC and then do the same thing.

Re:Removed (4, Informative)

Anonymous Coward | more than 2 years ago | (#35667626)

delete everything under Comodo

And the next time Firefox is updated (which happens frequently) the Comodo certificates will be back.

For each Comodo certificate you need to click on Edit and clear all the check boxes so the certificate won't be used for anything. This change survives updates. As I pointed out in a comment the other day (for which I received many flames) this user interface is completely inadequate for managing the hundreds of certificates that ship with Firefox.

Re:Removed (1)

KozmoStevnNaut (630146) | more than 2 years ago | (#35667780)

Select all of them and use the "Delete or distrust" button.

Re:Removed (0)

Anonymous Coward | more than 2 years ago | (#35668220)

I don't have a "Delete or distrust" button. Is it a FireFox 4 feature?

Re:Removed (1)

KozmoStevnNaut (630146) | more than 2 years ago | (#35670422)

I never checked in FF3 to be honest, but they probably added it in FF4.

Just another reason to upgrade :-)

Re:Removed (1, Funny)

L4t3r4lu5 (1216702) | more than 2 years ago | (#35666274)

Mere mortals have no place tampering with CA listings, especially when they are not far-sighted enough to tell us which OS they require instructions for without us asking.

Derp.

Re:Removed (0)

Anonymous Coward | more than 2 years ago | (#35666540)

Mere mortals have no place tampering with CA listings, especially when they are not far-sighted enough to tell us which OS they require instructions for without us asking.

Ah, the "you didn't ask the right question so you're too stupid for me to bother with you" approach.

Or... You could realize in a tech blog that just about every system is represented by the readership and a generic question and multi-part answer is appropriate. Or would you rather see it clogged with "how about Windows 2000", "how about Windows 2003", "how about Windows 2008", "how about Unbuntu", "how about Linux", "how about Unix", "how about Solaris"... questions.

You should be able to tell from my post that I'm not familiar with certificate management. And from the responses given without the question being specific I now know how to check a couple of platforms and I didn't have to ask, but I'll never be as smart as you.

Re:Removed (2)

asdf7890 (1518587) | more than 2 years ago | (#35667962)

Ah, the "you didn't ask the right question so you're too stupid for me to bother with you" approach.

No. The "you haven't provided information that anyone with half a brain might know could be useful" answer. It is like when our users raise reports along the lines of "I opened a form and got an error" to which we have to reply back with "which form?" (lest we have to test every single form for every record in the DB to see which one(s) report an error) and "what was the error?" (to which the response is almost always "I don't know" or "I didn't read it" which is bloody annoying especially in places where the app explicitly says "please report the code XYZ1234 when reporting this error as it will help us find information in the code and logs that might help us find the solution faster"). Another good one is "some of the counts in report B don't look right" when report B contains many figures rolled up over a large data-set. It is just lazy not to type one example when you know at least one.

Or... You could realize in a tech blog that just about every system is represented by the readership and a generic question and multi-part answer is appropriate. Or would you rather see it clogged with "how about Windows 2000", "how about Windows 2003", "how about Windows 2008", "how about Unbuntu", "how about Linux", "how about Unix", "how about Solaris"... questions.

What if the responder doesn't know how to do what you are asking in *every* browser on *every* operating system available? What if that one person doesn't have time to type out seven sets of instructions on the off-chance one of them might be the set that you were looking for?

If you are asking for help, give relevant details without asking. It helps us help you and reduces the chance that we'll just ignore you because the question is too generic and we don't have time to respond with a full article on the subject.

Sorry to come over so snarky, but I've spent too much time lately dealing with bad issue reports (some of them from people who claim to be developers so should damn well know better), I had some crap to vent, and you raised your "viable target" flag!

It isn't just people though, a lot of code does the same crap-condition-reporting thing. MS SQL reports "string or binary data would be truncated" when you have given it X thousand rows with YZ string columns. It *knows* at least one of the errant values, the first one it hit, so why doesn't it *report* the value as that might give massive clue as to what we have done wrong.

Re:Removed (1)

DataDiddler (1994180) | more than 2 years ago | (#35666304)

In Firefox, Preferences > Advanced > Encryption > View certificates. Go to the "authority" tab, click on the Comodo servers, click "delete or distrust."

Re:Removed (2)

gnasher719 (869701) | more than 2 years ago | (#35666306)

How about telling us mortals how to do that?

Mortal Mac users: Open Keychain Access, click on "System Roots", type "Comodo" in the search box, Click to unlock the "System Roots" keychain, then delete the "Comodo Certificate Authority" certificate. You'll probably have to enter your login password at some point.

Re:Removed (3, Informative)

IgnoramusMaximus (692000) | more than 2 years ago | (#35666462)

You can't do that. Only user installed certs can be deleted. You have to use "Get Info" on the Comodo cert, expand the "Trust" section and set the drop-down to "Do not trust". The icon for the cert will get a red "x" indicating its untrusted.

Re:Removed (2, Funny)

Anonymous Coward | more than 2 years ago | (#35666662)

Mortal Kombat users: Left, left, up, right, open keychain access, right, right, right, down, Comodo, up, down, left, right and "Finish him"...

Re:Removed (1)

Eevee (535658) | more than 2 years ago | (#35666476)

Here is Comodo's [comodo.com] advice for removing certs from Firefox. The only difference is you would pick the Authorities tab.

Re:Removed (1)

Ben4jammin (1233084) | more than 2 years ago | (#35667442)

You may not have to do anything if you are on Windows 7. I had to do this manually for firefox. But after getting an OS update yesterday now when I go into IE I don't see Comodo listed as trusted, and I do see several listings under "untrusted publishers" for login.yahoo.com, mail.google.com, and a couple that were issued to MS and another for www.google.com all listed as "untrusted".

and for the mortals out there I checked this by going to Tools-->Internet Options-->Content-->Certificates-->Untrusted Publishers

Which you will probably find easier than using the mmc to do the same thing.

Can anyone else on W7 confirm/deny this?

Remove in Firefox 4 (0)

Anonymous Coward | more than 2 years ago | (#35668478)

It's under the "Firefox" menu dropdown, "Options", "Options", "Advanced", "Encryption", "View Certificates". Select the certificate, and hit the "Delete or Distrust" button.

Re:Removed (0)

Anonymous Coward | more than 2 years ago | (#35666702)

Make sure that you also contact comodo customers when you come across them to let them know why you can't [make a purchase/use their services]. Here's one example (that even got trumpeted in a comodo press release): http://www.hayneedle.com/

Re:Removed (1)

Lennie (16154) | more than 2 years ago | (#35667494)

I have some doubts Mozilla will drop Comodo, I think Comodo is 'to big to fail'.

My guess is they issue 1000s of certs a day, most of them are valid for a year. Those would all stop to work.

Comodo is quite lax on paperwork requirements (2)

Bloodwine77 (913355) | more than 2 years ago | (#35666258)

I used to get my SSL certs through Verisign or Thawte, who were quite expensive and required a truckload of paperwork to prove your identity to them when being issued a SSL certificate. This was years ago, so they may be more lax these days for all I know. I jumped to Comodo several years back because they were cheaper and had a lot less paperwork hassle. Generally I could get SSL certs more quickly through them than I could through Verisign or Thawte. I then managed enough SSL certs to get in to OpenSRS and I could issue SSL certs immediately with no paperwork whatsoever. I believe the small print in OpenSRS shifts the burden to you, not Comodo, to prove the identity of the organization requesting the SSL certificate. All my clients were local businesses and were easy enough for me to verify. Long story short, is that there are numerous ways around the identity verification schemes when obtaining SSL certificates. Perhaps with these recent SSL incidents the registration authorities and SSL issuers will start going back to the old days of putting people through the meatgrinder when trying to obtain SSL certificates. It may be inconvenient, but I think we've gotten to the point where the scales are tipped way too far in convenience's factor to the detriment of security and verification.

Re:Comodo is quite lax on paperwork requirements (1)

Lennie (16154) | more than 2 years ago | (#35667610)

At the end of the day, most certificates can just be considered 'domain validated'. The 'green-bar'-certificates ('Extended Validation') ones are what used to be the what they did. Maybe they even do more with EV, but all the others are just 'domain validated'. Let's not kid ourselfs.

What does that mean ? You upload a certificate request on the site it downloads the whois-information does some automated checking from the addresses in the whois you choose which one to mail it to (or one of these: admin@domain.tld postmaster@domain.tld webmaster@domain.tld hostmaster@domain.tld ) and they send you an email and you click the link and they will do some generic checks and if it looks valid and a certificate is issues.

Really, that is all.

new two-factor (0)

Anonymous Coward | more than 2 years ago | (#35666278)

"rolling out a new two factor authentication system"? It's indefensible that they didn't use two factors since day one.

(Or, did they use RSA SecurId and they're replacing it with something that hasn't been compromised?)

Re:new two-factor (1)

LordLimecat (1103839) | more than 2 years ago | (#35666448)

SecurID wasnt compromised, RSA was. Apparently the breach had no effect on the security of the dongles, according to RSA (and I havent seen any report to the contrary).

Re:new two-factor (1)

Anonymous Coward | more than 2 years ago | (#35667588)

http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise [wikipedia.org]

In a March 21 email to customers, RSA essentially admitted that the information stolen from their internal network would allow an attacker to compromise a SecurID-protected system without having physical possession of the token:

        "7. Have my SecurID token records been taken?
        For the security of our customers, we are not releasing any additional information about what was taken. It is more important to understand all the critical components of the RSA SecurID solution.

        To compromise any RSA SecurID deployment, the attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their PINs. Some of this information is never held by RSA and is controlled only by the customer. In order to mount a successful attack, someone would need to have possession of all this information."

Barring a fatal weakness in the cryptographic implementation of the tokencode generation algorithm (which is unlikely, since it involves the simple and direct application of the extensively scrutinized AES-128 block cipher), the only circumstance under which an attacker could mount a successful attack having only information about (but not physical possession of) the token, is if the token seed records had been leaked. This is very strong evidence that the token seed records have in fact been stolen.

Let me google that for you (1)

doomy (7461) | more than 2 years ago | (#35666298)

Well, apparently Comodo systems are so secure that they are hacker proof [lmgtfy.com] .

Re:Let me google that for you (1)

Lennie (16154) | more than 2 years ago | (#35667618)

Maybe Comodo is, but not their 'resellers'

Re:Let me google that for you (1)

kumanopuusan (698669) | more than 2 years ago | (#35668360)

Yeah, I think they bought dog curtains.

Permanent Solution (0)

Anonymous Coward | more than 2 years ago | (#35666344)

Go into your browser's list of certificate authorities and disable/delete all the certificates listed for Comodo. Problem solved. If you run into a Comodo cert in the wild, just contact that website and tell them they need to buy a cert from a different authority.

If you are a website that uses their certs, replace them with certs from another authority and never look back.

And yet my pgp key from 1994... (0)

Anonymous Coward | more than 2 years ago | (#35666498)

Glad my pgp key from 1994 isn't compromised. Oh that's right I managed it myself.

Meaningless (3, Insightful)

ugen (93902) | more than 2 years ago | (#35666536)

The system of "certificate authority" on which SSL security ostensibly relies, has deteriorate to an essentially meaningless state.

This system is based primarily on trust. Trust requires at least a basic level of knowledge or understanding (this is a crucial difference between "trust" and "faith" :) ).

If you have not taken a look at your browser's "trusted certificate authority list" - now may be the time. I am a Firefox user, and I know that the list in Firefox contains numerous organizations with trustworthy names like "QuoVadis Limited", "TÜRKTRUST Elektronik Sertifika Hizmet Salaycs" and "XRamp Global Certification Authority". Do you know any of these companies? Do you personally have any reason to trust in their judgment, honesty or integrity?

For each company Firefox web site holds a document by some accounting firm (like the KPMG which has proven itself untrustworthy and unreliable even in matters of finance where they presumably have a clue) that purports to audit intentions and pracitces of said company wrt. issuance of said certificates. To put it simply that's worth as much as their audit of Lehman Brothers.

Bottom line - your browser essentially allows a random selection of highest bidders or politically connected entities to define what web sites are, in turn, to be trusted. It's pointless and there is little reason to believe that anything that say, sign or claim has any value whatsoever beyond the level of background noise.

Treat SSL the way you treat SSH - save specific certificates for sites, and watch for unexpected changes. Regardless of what the certificate or the "green location bar" say, don't trust them further than you can throw them.

Re:Meaningless (1)

airjrdn (681898) | more than 2 years ago | (#35667806)

Mod parent up. This isn't my area of expertise, but I did raise an eyebrow when I saw the "TÜRKTRUST" entry. I was glad to see someone else question it.

Re:Meaningless (1)

St.Creed (853824) | more than 2 years ago | (#35670302)

They may be more trustworthy than Comodo or Verisign. Problem is, you can't tell.

more info (0)

Anonymous Coward | more than 2 years ago | (#35666628)

The hacker has some interesting things to say: on twitter [twitter.com] (the account seems pretty damn legit)

Drop them (1)

medoc (90780) | more than 2 years ago | (#35666706)

They are hopeless and should be dropped from the trust lists in browsers. Watching them go out of business will be a useful remainder to the remaining ones that they should work a little not just take the money.

Why does anyone care about the Comodos? (0)

Anonymous Coward | more than 2 years ago | (#35667156)

They totally went downhill after Lionel Richie left.

But what does it all mean!?! (1)

herojig (1625143) | more than 2 years ago | (#35667552)

I looked in my certificate bag in FF, and I got all kinds of Comodos there. What does that mean exactly to me, my personal data, and my small biz? thx!!!

Resident Advisor Compromised? (0)

Anonymous Coward | more than 2 years ago | (#35668130)

How do the residents of the dorm building feel about one of it's Resident Advisors being compromised?

Goodby Comodo (0)

Anonymous Coward | more than 2 years ago | (#35668486)

That does it. I just went into my Firefox config, selected all of Comodo's certificates, and clicked "Distrust."

Fingers crossed (1)

sharkey (16670) | more than 2 years ago | (#35668602)

Hope it's the RAs from my freshman and junior years in college. Those guys were both dicks.

Two factor authentication is compromised (0)

Anonymous Coward | more than 2 years ago | (#35669232)

Well, considering that RSA's master seed file was found to be stolen last week, I'm not sure that "two-factor" authentication means anything.
http://www.readwriteweb.com/enterprise/2011/03/rsa-breach-an-attack-that-used.php

Re:Two factor authentication is compromised (1)

NimbleSquirrel (587564) | more than 2 years ago | (#35669846)

So they're rolling out a *new* two factor authentication system? That implies that there was an old one.... Was it RSA? Could the two events be linked?

Defense In Depth (1)

Onymous Coward (97719) | more than 2 years ago | (#35670116)

However much you decide to trust the CAs your browser comes with, you can add some checks to the SSL validation process.

1. Check that others are seeing the same cert that you are.
2. Check that the cert for a site has been consistently what you're getting now.

Tools for this: Perspectives [networknotary.org] and Certificate Patrol [mozilla.org] .

Example details from Perspectives check of an HTTPS site [networknotary.org]
Brief blog entry on Certificate Patrol [wordpress.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>