Comment 8 for bug 103074

Revision history for this message
giff gill (giffgilll-deactivatedaccount) wrote :

https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

The recent incident with the UTN-USERFirst-Hardware certificates as reported in Bug #741729 shows again how important it is that this is getting addressed.
Comodo got to know about the problem on March 15th , Google blocked the fraudulent signatures on 16th, Mozilla and Microsoft followed. However to my knowledge, all Linux distributions, certainly those that use the debian ca-certificate still trust these certificates.
Any damage most likely already has been done. Even the next day response from Google likely had come to late and there certainly was a window of a few days between issuing the certs and Comodo being aware of the intrusion.

It's not the first time UTN-USERFirst-Hardware came up...
http://it.slashdot.org/story/08/12/23/0046258/Perfect-MITM-Attacks-With-No-Check-SSL-Certs

Now Mozill, Google and MS blacklisted the known compromised certificates. All other certificates they signed are still trusted. Any bets and guesses when the next incident involving a comodo reseller will occur?

to Paul C. Bryan, #2:
>At the very least, can we have a stronger disclaimer, which properly informs the users of the risks of installing this package on their system?

It's preinstalled on a default desktop installation of Ubuntu.
I'm not sure what the best course of action should be. I think it's clear the mentioned fraud certs should be blacklisted asap (I mean Microsoft beat you to it...). Apart from that maybe we should think about disabling these known "problematic" CAs.
I'd suggest still shipping them in the package but disabled by default so the user can make a conscious decision about trusting them or not.