20110324

Wrongly issued SSL Certificates of Comodo and the lost of trust

You all heard about the issue of wrongly aquired SSL Certs for several well known domainnames.
(References: http://www.h-online.com/open/news/item/SSL-meltdown-forces-browser-developers-to-update-1213358.htmlhttps://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusionhttp://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ etc.)

This is really terrible.

The response of Comodo which was published here, http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html, doesn't give me enough informations about what happened.

Honestly, the result of this is, that I lost the trust into Comodo as Root CA and into their way of handling SSL Certificate requests.

As far as I can read from the Comodo announcement, the attacker already knew how to gain access to an account of a customer of Comodo.

That means, that someone could request a Cert for domains which are not belonging or which are not requested on behalf of a third party by a Comodo Reseller. There was no humanly triggered security or privacy check (e.g. Calling the requester and/or the domain owner who is requesting the Cert)  from an employee of Comodo.

But this is what I expect, even when Comodo is one of the cheapest SSL Cert Sales organisation.

It's not about a technical error, it's about "Trust" as in "Comodo, Creating Trust Online" (the Slogan on their Website). If you pay a company to verify that you are you, because you want your customers to trust that what they receive is coming from you (speaking about the Internet), then this company you pay needs to pay more attention and needs to invest into more human checks.

Having site accounts and just issuing a cert because the system thinks "Oh a known customer who is coming back" is not a good idea. You always should re-check if the requester (even with a valid account) is really the one who requested the cert (not the reseller)

Automation is good, automation helps to save money, but Trust is more valuable then saving money in this regard.

For me personally, I lost the trust, and I really would like to see that Comodo as Root CA will be dropped totally from the Browsers SSL Cert Store.

No comments:

Post a Comment