Tuesday, December 23, 2008

Following HDMoore's twit I stumbled on this case of Man-in-the-middle attack with a valid SSL certificate from a shady reseller.

Eddy Nigg was able to buy a certificate in the name of mozilla.com from a reseller of comodo named 'Certstar'.

In response of this issue, comodo says

That reseller's ability to sell Comodo certificates has been suspended while we
investigate why they are apparently not fulfilling their contractual obligations
to us. We revoked your certificate for mozilla.com.

If this is the situation, why do an attacker need to work hard to do arp poisoning and other tricks to do an MITM. Phishers will be happy to use this kind of shady resellers.

Or maybe they are already using these kind of stupid CAs to get a valid certificates.

Call me crazy/paranoid /fanatic or whatever you want to but I've deleted COMODO from both of my browsers (IE & FF). Chrome uses the same from IE so it became easy for me ;)












This is indeed scary, very scary...





1 comments:

$!ddh@rth said...

Rohit,

it also is a case with the a stolen id of the certificate.

I has happened in the past with netgear switches. If you are to generate a cryptographic key - netgear used to genereate only a specific number of key id's and then recycle them.

once this was figured out we could use the same certificate - play around with the time and ids and lo - we are ready with a new phised cert

although this bug was fixed - but it is still possible with other vendors.

Post a Comment