Anon users
@anonymouse.org
| REMOVE Comodo Certificates from FireFox, Opera!!!
From Sci.Crypt ( »www.derkeiler.com/Newsgroups/sci···285.html ):
Comodo is a Certificate Authority whose root certificates
have the honor of being in Firefox's built-in certificate
set. They seem to have made The Big Mistake by lending
their credibility to a reseller who signed a cert for
Eddy Nigg in the name of mozilla.com:
The original emails: »groups.google.com/group/mozilla.···204487bf
Comodo certificates are USED for SSL connection in your browser. If Comodo lets its reseller to sign 'bogus' certificates... using FireFox or Opera DON'T HELP!!!!
BTW, BOTH FireFox AND Opera 'allows' Comodo SSL certificates in the out-of-box setting... ya're WARNED to remove them from the 'Trusted Root Certification Authority'!!!
...WORRY about its famous & free HIPS-Firewall.... |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| said by Anon users :
BTW, BOTH FireFox AND Opera 'allows' Comodo SSL certificates in the out-of-box setting... ya're WARNED to remove them from the 'Trusted Root Certification Authority'!!!
»groups.google.com/group/mozilla.···204487bf
"...
Pulling a Comodo root will knock out Firefox, etc., access to thousands
of SSL sites, maybe tens of thousands. Given the disruption that would
cause, the final decision on this IMO should be made in conjunction with
the Firefox security folks. From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
.."
and more interesting discussion
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA | Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| That's better than deleting the certificate. I unchecked the trust on all 4 certificates.
I think that what will happen if I visit a site using a Comodo certificate, is that there will be a browser warning that the issuer is not trusted. Then I should be able to decide for myself, on a case by case basis, whether to connect to that site.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
4 edits | said by nwrickert  :That's better than deleting the certificate. I unchecked the trust on all 4 certificates. I think that what will happen if I visit a site using a Comodo certificate, is that there will be a browser warning that the issuer is not trusted. Then I should be able to decide for myself, on a case by case basis, whether to connect to that site. I think I will do that myself, and see what happens.
BTW, there are five certificates under the Comodo CA root in my Firefox. That suggests I will have to monitor the certificates just in case another certificate is added stealthily.
Adding: I have gone to banking and credit card sites and webmail and have not yet found anything that seems to be using the Comodo CA certificates. So, there may not be a problem with disabling those certificates. I can see that when I ask to view the certificate, Firefox reports that it "Could not verify this certificate for unknown reasons." You'd think that there would be a better notification when the reason is that the permissions are disabled locally within Firefox. 
|
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to Anon users
Previously posted: »"perfect MITM"
Also a discussion of SSL vs. possible alternatives: »Poor SSL Implementations Leave Many Sites At Risk
My first thought on what to do with the Comodo certs in the browser was, what are the possible attack scenarios? Does it no longer make sense to trust any site whose SSL depends on a Comodo certificate? In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM?
The answer to the latter is basically yes, according to this post on the linked page:
On 12/23/2008 09:09 AM, Kyle Hamilton: > (I word it like that because in order for an attacker to succeed he > would need to also hijack DNS, or place a entry in the user's hosts > file.) Or be a WiFi operator. This was the attack vector of » https:// bugzilla.mozilla.org/show_bug.cgi?id=460374 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| In particular, if DNS is not poisoned, and one uses a bookmark or types a URL, wouldn't there have to be a redirect or proxy or something to set up a MITM? Whoever controls the intermediate routers (probably your ISP) could set up a hidden proxy that is hard to detect.
I am inclined to think that my ISP (AT&T) wouldn't do that. On the other hand they did cooperate with the NSA in illegal wiretapping, so who knows what they might do.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
fphall
The Guardian
Premium
join:2003-11-01
Bristol, CT
| reply to rcdailey
said by rcdailey :Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. how does one do that? |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to swhx7
Just some off hand thoughts.
It depends on whether you can depend on the default gateway and any subsequent hops to not have been hijacked and turned into a proxy. I believe compromise of routing tables would allow a MITM and then with certificate authentication being compromised allow for the theft of passwords and user IDs.
I would think another big risk would be for someone who connects via wireless hotspots. Unless they use a VPN it could make using SSL dangerous. If someone has to log in to the provider it would also make it possible to compromise the log in to the hot spot.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to fphall
said by fphall :said by rcdailey :Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. how does one do that?
Above is the Seamonkey version - Firefox is probably similar. Note that mine shows only three, vs. references to four or five above. |
|
Frodo
join:2006-05-05
Lees Summit, MO | reply to Anon users
I'm also seeing Comodo under GTE Corporation in Firefox. Among the purposes of that certificate is "SSL Certificate Authority" |
|
chachazz
Premium
join:2003-12-14
| reply to Anon users
Firefox > Options > Advanced > Encryption > View Cert:
|
|
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
| reply to Anon users
This shows Firefox.
I've found that I have to edit the permissions for each profile. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| I've found that I have to edit the permissions for each profile. Yes. But in a way, that's good. It means that the change you made is in your profile. And thus when the next release of firefox comes out, it won't override those changes.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State | Yeah, it's no biggie but folks should be aware of it. |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
| reply to fphall
said by fphall :said by rcdailey :Would editing the trust settings for each certificate under the Comodo CA root be effective? Then the root would not have to be deleted in Firefox. how does one do that? In Firefox, click on Tools, Options, Advanced,Encryption,View Certificates,then highlight the specific certificate, click on Edit, uncheck the trust settings. |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA | reply to swhx7
Nice work. Firefox is identical. Better than my text explanation. |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA | reply to salzan
That stands to reason. |
|
rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
1 edit | reply to Frodo
said by Frodo :I'm also seeing Comodo under GTE Corporation in Firefox. Among the purposes of that certificate is "SSL Certificate Authority" I just looked at that certificate in Firefox and then clicked on Edit and the trust settings were NOT checked, so Firefox should warn, BUT the root certificate is GTE CyberTrust Global Root, and so long as that is enabled, all the other certificates are permitted, even though the boxes are not checked in the trust settings for each certificate. In order to fully disable those certificates, it appears that you have to disable GTE CyberTrust Global Root, which you can do. However, that might cause some problems. Now I'll have to search for other Comodo entries under other issuers. Arrgh!
Well, there don't seem to be any other Comodo entries, and I am not sure that the Comodo entry under GTE Coporation is really a problem. Perhaps someone else has an opinion? |
|
fphall
The Guardian
Premium
join:2003-11-01
Bristol, CT | reply to rcdailey
thank you all for your helpful and detailed answers. Merry Christmas and Happy Holidays to all. |
|
