|
Anon users
Anon
2008-Dec-25 4:23 am
REMOVE Comodo Certificates from FireFox, Opera!!!From Sci.Crypt ( » www.derkeiler.com/Newsgr ··· 285.html ): Comodo is a Certificate Authority whose root certificates have the honor of being in Firefox's built-in certificate set. They seem to have made The Big Mistake by lending their credibility to a reseller who signed a cert for Eddy Nigg in the name of mozilla.com: The original emails: » groups.google.com/group/ ··· 204487bfComodo certificates are USED for SSL connection in your browser. If Comodo lets its reseller to sign 'bogus' certificates... using FireFox or Opera DON'T HELP!!!! BTW, BOTH FireFox AND Opera 'allows' Comodo SSL certificates in the out-of-box setting... ya're WARNED to remove them from the 'Trusted Root Certification Authority'!!! ...WORRY about its famous & free HIPS-Firewall.... |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
Cudni
MVM
2008-Dec-25 8:17 am
said by Anon users :
BTW, BOTH FireFox AND Opera 'allows' Comodo SSL certificates in the out-of-box setting... ya're WARNED to remove them from the 'Trusted Root Certification Authority'!!!
» groups.google.com/group/ ··· 204487bf"... Pulling a Comodo root will knock out Firefox, etc., access to thousands of SSL sites, maybe tens of thousands. Given the disruption that would cause, the final decision on this IMO should be made in conjunction with the Firefox security folks. From my point of view I'd wait on more information regarding items 2 and 3 above before making a recommendation. .." and more interesting discussion Cudni |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA |
rcdailey
Premium Member
2008-Dec-25 11:30 am
Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. |
|
|
|
That's better than deleting the certificate. I unchecked the trust on all 4 certificates.
I think that what will happen if I visit a site using a Comodo certificate, is that there will be a browser warning that the issuer is not trusted. Then I should be able to decide for myself, on a case by case basis, whether to connect to that site. |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA 4 edits |
rcdailey
Premium Member
2008-Dec-25 11:57 am
said by nwrickert:That's better than deleting the certificate. I unchecked the trust on all 4 certificates. I think that what will happen if I visit a site using a Comodo certificate, is that there will be a browser warning that the issuer is not trusted. Then I should be able to decide for myself, on a case by case basis, whether to connect to that site. I think I will do that myself, and see what happens. BTW, there are five certificates under the Comodo CA root in my Firefox. That suggests I will have to monitor the certificates just in case another certificate is added stealthily. Adding: I have gone to banking and credit card sites and webmail and have not yet found anything that seems to be using the Comodo CA certificates. So, there may not be a problem with disabling those certificates. I can see that when I ask to view the certificate, Firefox reports that it "Could not verify this certificate for unknown reasons." You'd think that there would be a better notification when the reason is that the permissions are disabled locally within Firefox. |
|
swhx7 Premium Member join:2006-07-23 Elbonia |
to Anon users
Previously posted: » "perfect MITM"Also a discussion of SSL vs. possible alternatives: » Poor SSL Implementations Leave Many Sites At RiskMy first thought on what to do with the Comodo certs in the browser was, what are the possible attack scenarios? Does it no longer make sense to trust any site whose SSL depends on a Comodo certificate? In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM? The answer to the latter is basically yes, according to this post on the linked page: On 12/23/2008 09:09 AM, Kyle Hamilton: > (I word it like that because in order for an attacker to succeed he > would need to also hijack DNS, or place a entry in the user's hosts > file.) Or be a WiFi operator. This was the attack vector of » bugzilla.mozilla.org/sho ··· d=460374 |
|
1 recommendation |
In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM? Whoever controls the intermediate routers (probably your ISP) could set up a hidden proxy that is hard to detect. I am inclined to think that my ISP (AT&T) wouldn't do that. On the other hand they did cooperate with the NSA in illegal wiretapping, so who knows what they might do. |
|
fphallThe Guardian Premium Member join:2003-11-01 Bristol, CT |
to rcdailey
said by rcdailey:Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. how does one do that? |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to swhx7
Just some off hand thoughts.
It depends on whether you can depend on the default gateway and any subsequent hops to not have been hijacked and turned into a proxy. I believe compromise of routing tables would allow a MITM and then with certificate authentication being compromised allow for the theft of passwords and user IDs.
I would think another big risk would be for someone who connects via wireless hotspots. Unless they use a VPN it could make using SSL dangerous. If someone has to log in to the provider it would also make it possible to compromise the log in to the hot spot. |
|
swhx7 Premium Member join:2006-07-23 Elbonia |
to fphall
said by fphall:said by rcdailey:Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. how does one do that?
Above is the Seamonkey version - Firefox is probably similar. Note that mine shows only three, vs. references to four or five above.
|
|
|
to Anon users
I'm also seeing Comodo under GTE Corporation in Firefox. Among the purposes of that certificate is "SSL Certificate Authority" |
|
|
to Anon users
Firefox > Options > Advanced > Encryption > View Cert:
|
|
salzanExperienced Optimist Premium Member join:2004-01-08 WA State |
to Anon users
This shows Firefox. I've found that I have to edit the permissions for each profile. |
|
|
I've found that I have to edit the permissions for each profile. Yes. But in a way, that's good. It means that the change you made is in your profile. And thus when the next release of firefox comes out, it won't override those changes. |
|
salzanExperienced Optimist Premium Member join:2004-01-08 WA State |
salzan
Premium Member
2008-Dec-25 3:20 pm
Yeah, it's no biggie but folks should be aware of it. |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA |
to fphall
said by fphall:said by rcdailey:Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. how does one do that? In Firefox, click on Tools, Options, Advanced,Encryption,View Certificates,then highlight the specific certificate, click on Edit, uncheck the trust settings. |
|
rcdailey |
to swhx7
Nice work. Firefox is identical. Better than my text explanation. |
|
rcdailey |
to salzan
That stands to reason. |
|
rcdailey 1 edit |
to Frodo
said by Frodo:I'm also seeing Comodo under GTE Corporation in Firefox. Among the purposes of that certificate is "SSL Certificate Authority" I just looked at that certificate in Firefox and then clicked on Edit and the trust settings were NOT checked, so Firefox should warn, BUT the root certificate is GTE CyberTrust Global Root, and so long as that is enabled, all the other certificates are permitted, even though the boxes are not checked in the trust settings for each certificate. In order to fully disable those certificates, it appears that you have to disable GTE CyberTrust Global Root, which you can do. However, that might cause some problems. Now I'll have to search for other Comodo entries under other issuers. Arrgh! Well, there don't seem to be any other Comodo entries, and I am not sure that the Comodo entry under GTE Coporation is really a problem. Perhaps someone else has an opinion? |
|
fphallThe Guardian Premium Member join:2003-11-01 Bristol, CT |
to rcdailey
thank you all for your helpful and detailed answers. Merry Christmas and Happy Holidays to all. |
|
|
to rcdailey
I see Comodo under AddTrust AB. Don't have an informed opinion. |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA 1 edit |
rcdailey
Premium Member
2008-Dec-25 8:23 pm
said by Frodo:I see Comodo under AddTrust AB. Don't have an informed opinion. Interesting. It is not there in my Firefox. Adding: I looked at the certificate management in Opera and it is not so verbose as Firefox. You get a list of authorities, but no tree with certificates sub to the authority, so far as I can see. |
|
1 recommendation |
I looked at the certificate management in Opera and it is not so verbose as Firefox. Probably a smaller set of trusted certificates. For the Comodo certificate, I checked the box "Warn me before using this certificate". There's also a Comodo certificate in the Windows certificate store (used by IE). |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA 1 edit |
rcdailey
Premium Member
2008-Dec-25 9:27 pm
said by nwrickert:I looked at the certificate management in Opera and it is not so verbose as Firefox. Probably a smaller set of trusted certificates. For the Comodo certificate, I checked the box "Warn me before using this certificate". There's also a Comodo certificate in the Windows certificate store (used by IE). Good points. I'll check that in Opera and also look at the one in the Windows store. I opened IE and looked at certificate management there and found four different entries that related to Comodo. I decided to leave them alone because I don't use IE except for Windows Update. |
|
Epyon9283 Premium Member join:2001-12-26 Trenton, NJ |
to swhx7
said by swhx7:Previously posted: » "perfect MITM"Also a discussion of SSL vs. possible alternatives: » Poor SSL Implementations Leave Many Sites At RiskMy first thought on what to do with the Comodo certs in the browser was, what are the possible attack scenarios? Does it no longer make sense to trust any site whose SSL depends on a Comodo certificate? In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM? The answer to the latter is basically yes, according to this post on the linked page: On 12/23/2008 09:09 AM, Kyle Hamilton: > (I word it like that because in order for an attacker to succeed he > would need to also hijack DNS, or place a entry in the user's hosts > file.) Or be a WiFi operator. This was the attack vector of » bugzilla.mozilla.org/sho ··· d=460374 The answer is only yes if you ignore the cert warning as the user in that bug report did. |
|
OZO Premium Member join:2003-01-17 |
to rcdailey
said by rcdailey:I opened IE and looked at certificate management there and found four different entries that related to Comodo. I decided to leave them alone because I don't use IE except for Windows Update. Where you did get them from? Mine CA root depository has only one COMODO cert: COMODO root cert
There are two ways to get CA in root depository: 1) via m$ updates (my WXP comp is fully updated) 2) accept them manually on a web site request.
|
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA 1 edit |
rcdailey
Premium Member
2008-Dec-25 11:50 pm
said by OZO:Where you did get them from? Mine CA root depository has only one COMODO cert: There are two ways to get CA in root depository: 1) via m$ updates (my WXP comp is fully updated) 2) accept them manually on a web site request. I have an image of the listing of trusted root certificates in IE7. I did not manually add these and do not know that they were added in a root certificate update via MS Update, but can't rule that out. Comodo is trusted by Microsoft, after all. IE 7 trusted root certificates
Note that the list is sorted by friendly name. Only three of the entries are shown there. The other entry shows Comodo as the friendly name.
Added: Root certificate updates are optional, so don't get updated as an express update.
|
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2008-Dec-26 12:39 am
I have had Comodo certs disabled for as long as they have been in Firefox. I would never trust Comodo. I also have GoDaddy certs disabled. GoDaddy has a lot creeps with certs because they are the cheapest so I want a warning each time with GoDaddy so I can decide for myself.
As for IE7 on Vista, I don't have any Comodo cert entries.
On XP, IE6 has one Comodo entry which I had missed. I unchecked everything. Will that cripple IE? I keep IE 6 updated for root certs but not IE7. I don't have the latest root cert update for IE6 though as I haven't seen where to get it that doesn't require my allowing WGA. |
|
OZO Premium Member join:2003-01-17 |
to rcdailey
Well, that explains Sorting by Friendly Name helped me to find not just 3, but 4 COMODO certs. COMODO certificates
Thank you for posting your picture. It looks like mine depository is more recent (look at expiration dates). So, next time you update - expect to get more I do not see in IE a way to make some certs not trusted. There is Advanced Options dialog with Certificate purposes settings. Perhaps if you clear all check boxes there the cert will become un-trusted, but I have not tested it yet. |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA |
to Mele20
Vista may be different from XP in terms of handling certificates. I think it is probably true that you have to allow WGA in order to get some of these updates. |
|