Roachys Weblog

Probably my last blog post this year – so just to remind myself how crappy this year has been in years to come, here are a couple of the highlights that I found this morning – pretty telling of this year so far…

Comodo reseller sells SSL Certificates without proper verficication – I’ll link to the discussion on Google Groups – http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/9c0cc829204487bf?pli=1.  The repercussions of this would allow an attacker to perform an MITM attack, while appearing to look like a trusted owner of a CA approved site.  In order for this to be successfully the attacker would need to hi-jack DNS, or host a caching nameserver/public Wireless service….such as https://bugzilla.mozilla.org/show_bug.cgi?id=460374….yayy

It remains to be seen as to whether Comodo should have their status as a Root CA revoked until correctly validate certs have been issued to everyone who has purchased from then or their resellers….One to watch as this has huge implications – who knows how many certs have been issued, or for that matter if anyone has exploited this already.  On a more cheerful note, I’ve just been trying to explain to someone in the office, that this has nothing to do with lizards or japanese dresses compromising security…..:)

On a slightly less cheery note….found this on the Nat Geographic site….http://news.nationalgeographic.com/news/pf/27959626.html

Interesting reading – who knows – maybe the light’s will go out in 2012 anyway!!

EDIT: If anyone is actually reading this, I would suggest that they manually revoke the signing permissions of Comodo in their browser until this mess is sorted.  At least this way you know that you are sending information to a Comodo SSL signed site and stop.