Fake certificates for popular sites
First, a little yellow:
The Comodo Internet Security Certification Authority (their root certificate was declared by the trustworthy majority of browser manufacturers) signed the following certificates for unknown scammers:
* mail.google.com, www.google.com
* login.yahoo.com (3pcs)
* login.skype.com
* addons.mozilla.org
* login.live.com
')
If a fraudster presents this certificate, it will be accepted as correct by browsers. In other words, there will not be the slightest method to determine that a site is fake.
Now more. These certificates were issued, after which the undercutting began, the browser manufacturers (at least chrome and firefox) added them to the black list (compiled into the code). For firefox, this happened on March 17th, 2011, all versions that came up to this point will trust these certificates (I wanted to write “vulnerable”, but the problem is that this is not a vulnerability, this is Comodo's choice, why all forced to trust). In theory, it should be checked whether the certificate is in the revocation list (it was added there), however, in practice, if access to this list is limited, then browsers do not issue clear warnings and trust the certificate.
References:
1) Press release comodo: www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
2) MS Secity Advisory: www.microsoft.com/technet/security/advisory/2524375.mspx
3) A detective story about how the “strange” was discovered in patches in firefox before the official publication of Comodo carelessness results: blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
4) On the political component of the incident: avva.livejournal.com/2321707.html
The Comodo Internet Security Certification Authority (their root certificate was declared by the trustworthy majority of browser manufacturers) signed the following certificates for unknown scammers:
* mail.google.com, www.google.com
* login.yahoo.com (3pcs)
* login.skype.com
* addons.mozilla.org
* login.live.com
')
If a fraudster presents this certificate, it will be accepted as correct by browsers. In other words, there will not be the slightest method to determine that a site is fake.
Now more. These certificates were issued, after which the undercutting began, the browser manufacturers (at least chrome and firefox) added them to the black list (compiled into the code). For firefox, this happened on March 17th, 2011, all versions that came up to this point will trust these certificates (I wanted to write “vulnerable”, but the problem is that this is not a vulnerability, this is Comodo's choice, why all forced to trust). In theory, it should be checked whether the certificate is in the revocation list (it was added there), however, in practice, if access to this list is limited, then browsers do not issue clear warnings and trust the certificate.
References:
1) Press release comodo: www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
2) MS Secity Advisory: www.microsoft.com/technet/security/advisory/2524375.mspx
3) A detective story about how the “strange” was discovered in patches in firefox before the official publication of Comodo carelessness results: blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
4) On the political component of the incident: avva.livejournal.com/2321707.html
Source: https://habr.com/ru/post/116084/
All Articles