...as the story unfolds in front of us just before the holiday season,
I'm going to provide more information and try to summarize the recent
event(s). Nevertheless I wish to everybody happy Hanukkah and Xmas.
Hereby the facts about Comodo and recent events:
- Registration Authority (RA) of Comodo operates a robot to search for
SSL secured sites.
- Same RA sends email messages to the owners of those sites, by
pretending that the site owner has to renew the certificate with them
(spam + misleading).
- Same RA ignores complaints, so does Comodo (at least initially).
- Same RA issues domain control validated certificates without validating.
- Comodo fails to have sufficient controls in place to prevent such
issuance.
- Comodo fails to have controls in place to prevent issuance of
high-profile targets (like Mozilla, Microsoft, Paypal, etc.)
- Comodo fails to (self) audit the facilities of the RA and its
implementations.
- Comodo maintains many RAs and Resellers.
Additionally I received testimonials and evidences [1] that resellers
(apparently mainly hosting providers) don't use a central domain
validation utility or checks, instead there is a confirmation checkbox.
Comodo delays the issuance of some of the certificates which it receives
from resellers. According to the testimonial, they compare the data
submitted with the WHOIS records on these spot checks. No email ping or
web site modification check is performed to retain evidence about domain
control by the requesting party (or authorization thereof). With this we
can assume that
- Comodo does not perform domain control validation.
- Comodo has not sufficient controls in place to prevent issuance of
fraudulent certificates by resellers and RAs.
- Comodo issued unvalidated server certificates (according to their own
accounts and myself). Such certificates may be still valid and in the wild.
- Comodo fails to conform to the Mozilla CA Policy in various accounts.
I have received also testimonials that Mozilla and Microsoft received
previously complaints and evidences about the business practices of
Comodo. I'm not aware which specific actions were taken back then.
However I'm quoting Frank Hecker's summary after the "inclusion"
discussion of Comodo from April 08,
"...discussions around various Comodo-related issues, most notably the
wildcard DV cert issue and the long-lived DV cert issue. Although I
acknowledge that there were/are valid concerns associated with those
issues...",
which were concerns raised by myself back then. Unfortunately the
failures by Comodo listed above and their issuance policy for
long-living low-assurance and wild card certificates makes it even
worse. In light of the recent events and in light of the collective
potential damage to all certification authorities which those events may
have caused, and in light of the potential damage to relying parties, I
request immediate and appropriate actions by Mozilla and other browser
vendors. I also request from Comodo to urgently review their practices,
implementations and controls in place and take appropriate actions.
[1] As I'm writing this mail, I'm receiving more evidences, testimonials
and phone calls by people in the knowledge. I'll present all the
material to Frank once he gets in touch with me.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
