web analytics

Comodo RA Compromised

Mar 31

I know it is too late to write about this but I came to know about this couple of days ago.

Comodo has confirmed that three registration authorities (RAs) affiliated with the company were compromised first reported on 23rd March 2011 by Iranian hacker to get fraud SSL Certificate for yahoo, google, Microsoft and Skype.

The Certificate was signed by third party without sufficient proof of identity and other information required.

The certificates could have been used by a fraudster to create a fake website that was able to bypass a browser’s validity mechanism and appear like the real thing to users.

Comodo has updated their most recent CRL (Certificate Revocation List) with removal of SSL Certificate.

Customers don’t need to do anything since the update is typically loaded automatically. As well, web browsers with the Online Certificate Status Protocol (OCSP) enabled will block the phony certificates from being used. Researcher Jacob Appelbaum first reported the problem to Comodo but withheld disclosure until the certification authority could remediate the issue.

The intruder, calling himself “Comodohacker,” has posted several lengthy documents on the text-sharing site Pastebin, offering up details about the incident. In the latest document, posted Tuesday, the hacker said it was a difficult infiltration that took time.

“From listed resellers of Comodo, I owned 3 of them,” the hacker wrote.

While rogue certificates were quickly revoked, the incident was serious enough to prompt Comodo to institute new controls and for the major web browsers – Mozilla’s Firefox, Microsoft’s Internet Explorer and Google’s Chrome – to issue updates to their browsers last week.

In response to rampant concerns about the trustworthiness of its certificate generation system from customers, browser companies and others in the security community, Comodo’s Alden said the company is in the process of rolling out hardware-based, two-factor authentication for its resellers to ward off attacks in the future.

The process could take several weeks to complete and, in the meantime, Comodo has promised to review all reseller validation work prior to issuing any certificates.

Mozilla, in particular, criticized Comodo for allowing RAs to issue certificates directly from the root that the company maintains, a practice that eliminated some possible attack mitigations. In response, Comodo said it plans to move away from this practice.

 

Read More

SSL Tools Website Part – II

Mar 04

SSL tools website part – II

After yesterday’s update about tools by ssltool.com. I am putting other tools details which would help you a lot with SSL Certificates and checking security of your SSL Certificate.

7) self-signed certificate generator (http://ssltool.com/?action=ssGenerate)

Do you want to generate self sign certificate? Here you go? this is great tool to generate self sign certificate for newbies who don’t want to run openssl commands to generate Self Sign Certificate. You can help self sign certificate in couple of minutes.

8) certificate and key match checker (http://ssltool.com/?action=modMatcher)

Check your Certificate key match. Certificate you got from your certificate vendor and key you have on your server this would be great to check Certificate before you installing it.

9) certificate root store list (http://ssltool.com/?action=certList)

Update Certificate root list in your server computer or check latest available root certificates available many of webservers still uses old certificate roots. which may cause problems.

SSLTools.com

Another good website I just came across ssltools.com. It allows you to check your CSR and Certificate. It is simple yet useful website which would help you to consider other option available to check your CSR.

There are many other SSL Related tools available. I will review other websites as well and update you about it. Till that time Happy Security..

Write Gaurav Maniar (IT Manager, SSL Support Expert @ www.thesslstore.com, MCITP, MCSE, MCSA)

Enhanced by Zemanta
Read More