dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
26559

Anon users
@anonymouse.org

Anon users

Anon

REMOVE Comodo Certificates from FireFox, Opera!!!

From Sci.Crypt ( »www.derkeiler.com/Newsgr ··· 285.html ):

Comodo is a Certificate Authority whose root certificates
have the honor of being in Firefox's built-in certificate
set. They seem to have made The Big Mistake by lending
their credibility to a reseller who signed a cert for
Eddy Nigg in the name of mozilla.com:

The original emails: »groups.google.com/group/ ··· 204487bf

Comodo certificates are USED for SSL connection in your browser. If Comodo lets its reseller to sign 'bogus' certificates... using FireFox or Opera DON'T HELP!!!!

BTW, BOTH FireFox AND Opera 'allows' Comodo SSL certificates in the out-of-box setting... ya're WARNED to remove them from the 'Trusted Root Certification Authority'!!!

...WORRY about its famous & free HIPS-Firewall....

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

said by Anon users :

BTW, BOTH FireFox AND Opera 'allows' Comodo SSL certificates in the out-of-box setting... ya're WARNED to remove them from the 'Trusted Root Certification Authority'!!!

»groups.google.com/group/ ··· 204487bf
"...
Pulling a Comodo root will knock out Firefox, etc., access to thousands
of SSL sites, maybe tens of thousands. Given the disruption that would
cause, the final decision on this IMO should be made in conjunction with
the Firefox security folks. From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
.."

and more interesting discussion

Cudni

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

That's better than deleting the certificate. I unchecked the trust on all 4 certificates.

I think that what will happen if I visit a site using a Comodo certificate, is that there will be a browser warning that the issuer is not trusted. Then I should be able to decide for myself, on a case by case basis, whether to connect to that site.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

4 edits

rcdailey

Premium Member

said by nwrickert:

That's better than deleting the certificate. I unchecked the trust on all 4 certificates.

I think that what will happen if I visit a site using a Comodo certificate, is that there will be a browser warning that the issuer is not trusted. Then I should be able to decide for myself, on a case by case basis, whether to connect to that site.
I think I will do that myself, and see what happens.
BTW, there are five certificates under the Comodo CA root in my Firefox. That suggests I will have to monitor the certificates just in case another certificate is added stealthily.

Adding: I have gone to banking and credit card sites and webmail and have not yet found anything that seems to be using the Comodo CA certificates. So, there may not be a problem with disabling those certificates. I can see that when I ask to view the certificate, Firefox reports that it "Could not verify this certificate for unknown reasons." You'd think that there would be a better notification when the reason is that the permissions are disabled locally within Firefox.

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to Anon users

Premium Member

to Anon users
Previously posted: »"perfect MITM"

Also a discussion of SSL vs. possible alternatives: »Poor SSL Implementations Leave Many Sites At Risk

My first thought on what to do with the Comodo certs in the browser was, what are the possible attack scenarios? Does it no longer make sense to trust any site whose SSL depends on a Comodo certificate? In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM?

The answer to the latter is basically yes, according to this post on the linked page:
On 12/23/2008 09:09 AM, Kyle Hamilton:

> (I word it like that because in order for an attacker to succeed he
> would need to also hijack DNS, or place a entry in the user's hosts
> file.)

Or be a WiFi operator. This was the attack vector of
»bugzilla.mozilla.org/sho ··· d=460374

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert

Mod

In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM?
Whoever controls the intermediate routers (probably your ISP) could set up a hidden proxy that is hard to detect.

I am inclined to think that my ISP (AT&T) wouldn't do that. On the other hand they did cooperate with the NSA in illegal wiretapping, so who knows what they might do.

fphall
The Guardian
Premium Member
join:2003-11-01
Bristol, CT

fphall to rcdailey

Premium Member

to rcdailey
said by rcdailey:

Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox.

how does one do that?
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to swhx7

MVM

to swhx7
Just some off hand thoughts.

It depends on whether you can depend on the default gateway and any subsequent hops to not have been hijacked and turned into a proxy. I believe compromise of routing tables would allow a MITM and then with certificate authentication being compromised allow for the theft of passwords and user IDs.

I would think another big risk would be for someone who connects via wireless hotspots. Unless they use a VPN it could make using SSL dangerous. If someone has to log in to the provider it would also make it possible to compromise the log in to the hot spot.

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to fphall

Premium Member

to fphall
said by fphall:

said by rcdailey:

Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox.

how does one do that?





Above is the Seamonkey version - Firefox is probably similar. Note that mine shows only three, vs. references to four or five above.
Frodo
join:2006-05-05

Frodo to Anon users

Member

to Anon users
I'm also seeing Comodo under GTE Corporation in Firefox. Among the purposes of that certificate is "SSL Certificate Authority"

chachazz
Premium Member
join:2003-12-14

chachazz to Anon users

Premium Member

to Anon users
Firefox > Options > Advanced > Encryption > View Cert:



salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

salzan to Anon users

Premium Member

to Anon users
Click for full size
This shows Firefox.

I've found that I have to edit the permissions for each profile.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

I've found that I have to edit the permissions for each profile.
Yes. But in a way, that's good. It means that the change you made is in your profile. And thus when the next release of firefox comes out, it won't override those changes.

salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

salzan

Premium Member

Yeah, it's no biggie but folks should be aware of it.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey to fphall

Premium Member

to fphall
said by fphall:

said by rcdailey:

Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox.

how does one do that?
In Firefox, click on Tools, Options, Advanced,Encryption,View Certificates,then highlight the specific certificate, click on Edit, uncheck the trust settings.
rcdailey

rcdailey to swhx7

Premium Member

to swhx7
Nice work. Firefox is identical. Better than my text explanation.
rcdailey

rcdailey to salzan

Premium Member

to salzan
That stands to reason.
rcdailey

1 edit

rcdailey to Frodo

Premium Member

to Frodo
said by Frodo:

I'm also seeing Comodo under GTE Corporation in Firefox. Among the purposes of that certificate is "SSL Certificate Authority"
I just looked at that certificate in Firefox and then clicked on Edit and the trust settings were NOT checked, so Firefox should warn, BUT the root certificate is GTE CyberTrust Global Root, and so long as that is enabled, all the other certificates are permitted, even though the boxes are not checked in the trust settings for each certificate. In order to fully disable those certificates, it appears that you have to disable GTE CyberTrust Global Root, which you can do. However, that might cause some problems. Now I'll have to search for other Comodo entries under other issuers. Arrgh!

Well, there don't seem to be any other Comodo entries, and I am not sure that the Comodo entry under GTE Coporation is really a problem. Perhaps someone else has an opinion?

fphall
The Guardian
Premium Member
join:2003-11-01
Bristol, CT

fphall to rcdailey

Premium Member

to rcdailey
thank you all for your helpful and detailed answers. Merry Christmas and Happy Holidays to all.
Frodo
join:2006-05-05

Frodo to rcdailey

Member

to rcdailey
I see Comodo under AddTrust AB. Don't have an informed opinion.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

1 edit

rcdailey

Premium Member

said by Frodo:

I see Comodo under AddTrust AB. Don't have an informed opinion.
Interesting. It is not there in my Firefox.

Adding: I looked at the certificate management in Opera and it is not so verbose as Firefox. You get a list of authorities, but no tree with certificates sub to the authority, so far as I can see.

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert

Mod

I looked at the certificate management in Opera and it is not so verbose as Firefox.
Probably a smaller set of trusted certificates.

For the Comodo certificate, I checked the box "Warn me before using this certificate".

There's also a Comodo certificate in the Windows certificate store (used by IE).

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

1 edit

rcdailey

Premium Member

said by nwrickert:

I looked at the certificate management in Opera and it is not so verbose as Firefox.
Probably a smaller set of trusted certificates.

For the Comodo certificate, I checked the box "Warn me before using this certificate".

There's also a Comodo certificate in the Windows certificate store (used by IE).
Good points. I'll check that in Opera and also look at the one in the Windows store.

I opened IE and looked at certificate management there and found four different entries that related to Comodo. I decided to leave them alone because I don't use IE except for Windows Update.

Epyon9283
Premium Member
join:2001-12-26
Trenton, NJ

Epyon9283 to swhx7

Premium Member

to swhx7
said by swhx7:

Previously posted: »"perfect MITM"

Also a discussion of SSL vs. possible alternatives: »Poor SSL Implementations Leave Many Sites At Risk

My first thought on what to do with the Comodo certs in the browser was, what are the possible attack scenarios? Does it no longer make sense to trust any site whose SSL depends on a Comodo certificate? In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM?

The answer to the latter is basically yes, according to this post on the linked page:
On 12/23/2008 09:09 AM, Kyle Hamilton:

> (I word it like that because in order for an attacker to succeed he
> would need to also hijack DNS, or place a entry in the user's hosts
> file.)

Or be a WiFi operator. This was the attack vector of
»bugzilla.mozilla.org/sho ··· d=460374
The answer is only yes if you ignore the cert warning as the user in that bug report did.
OZO
Premium Member
join:2003-01-17

OZO to rcdailey

Premium Member

to rcdailey
said by rcdailey:

I opened IE and looked at certificate management there and found four different entries that related to Comodo. I decided to leave them alone because I don't use IE except for Windows Update.
Where you did get them from? Mine CA root depository has only one COMODO cert:


COMODO root cert

There are two ways to get CA in root depository:
1) via m$ updates (my WXP comp is fully updated)
2) accept them manually on a web site request.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

1 edit

rcdailey

Premium Member

said by OZO:
said by rcdailey:

Where you did get them from? Mine CA root depository has only one COMODO cert:

There are two ways to get CA in root depository:
1) via m$ updates (my WXP comp is fully updated)
2) accept them manually on a web site request.
I have an image of the listing of trusted root certificates in IE7. I did not manually add these and do not know that they were added in a root certificate update via MS Update, but can't rule that out. Comodo is trusted by Microsoft, after all.


IE 7 trusted root certificates


Note that the list is sorted by friendly name. Only three of the entries are shown there. The other entry shows Comodo as the friendly name.

Added: Root certificate updates are optional, so don't get updated as an express update.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

I have had Comodo certs disabled for as long as they have been in Firefox. I would never trust Comodo. I also have GoDaddy certs disabled. GoDaddy has a lot creeps with certs because they are the cheapest so I want a warning each time with GoDaddy so I can decide for myself.

As for IE7 on Vista, I don't have any Comodo cert entries.

On XP, IE6 has one Comodo entry which I had missed. I unchecked everything. Will that cripple IE? I keep IE 6 updated for root certs but not IE7. I don't have the latest root cert update for IE6 though as I haven't seen where to get it that doesn't require my allowing WGA.
OZO
Premium Member
join:2003-01-17

OZO to rcdailey

Premium Member

to rcdailey
Well, that explains Sorting by Friendly Name helped me to find not just 3, but 4 COMODO certs.


COMODO certificates

Thank you for posting your picture. It looks like mine depository is more recent (look at expiration dates). So, next time you update - expect to get more

I do not see in IE a way to make some certs not trusted. There is Advanced Options dialog with Certificate purposes settings. Perhaps if you clear all check boxes there the cert will become un-trusted, but I have not tested it yet.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey to Mele20

Premium Member

to Mele20
Vista may be different from XP in terms of handling certificates. I think it is probably true that you have to allow WGA in order to get some of these updates.