Hi Peter, FYI: We have released a patch which addresses the Comodo root CA compromise. The patch is available at
http://android.git.kernel.org/?p=platform/external/bouncycastle.git;a=commit;h=3ab12958718f17e48e2816a84d403f6305cc2800 and will be pushed to Google managed devices (Nexus S, Nexus One) on the next OTA. As always, we strongly encourage Android OEMs to incorporate this patch into their build. Take care, -- Nick Kralevich Android Security Team On Thu, Mar 24, 2011 at 9:18 AM, peterw <[email protected]> wrote: > BTW, anyone interested in the CA PKI model really ought to read Jacob > Appelbaum's account of a recent incident in which a Comodo sub-CA was > used to issue bogus certs for Google, Microsoft, Yahoo, Mozilla, and > Skype hostnames: > > > https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion > > Dianne can stop reading now because she knows what's next. Typical > Android users are likely out of luck, forced to wait until the Android > team merges the blacklist patch from Chromium *and* releases new dot > versions of Android OS *and* the device manufacturers update firmwares > (*and* in the US and similar countries, the cell phone companies bless > the new firmwares). This is another example of Android's OS & update > design flaws, that Google can't push even such a small, > straightforward fix out to all Android end users. :-( > > -Peter > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
