[conspire] Critical browser-certificate problem

[Rick Moen]

I wrote:

> One of the impersonated Web sites is addons.mozilla.org .

Claimed full list of impersonated site SSL certs, according to 'a
source at Microsoft' mentioned in the article's comments:

o login.live.com
o mail.google.com
o www.google.com
o login.yahoo.com (3 certificates)
o login.skype.com
o addons.mozilla.org
o "Global Trustee"

The unidentfied commentator adds 'I'm not sure what "Global Trustee" means.'

Certificate authority 'Comodo', where the breach occurred, confirms that list:
http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Comodo, which was provably negligent, attempts to say 'We're merely a
victim!'  Don't look at us.  Look at those evil people in Iran.'  They
also claim that the system worked because when informed of their screwup
they added the nine fraudulent certs to their current Certification
Revocation List -- a claim the article I mentions in the previous post
is at pains to explain is utter bullshit, as that process doesn't work
in the real world.

Brief analysis by an Iranian commentator:
http://hazimiai.wordpress.com/2011/03/24/firm-points-finger-at-iran-for-ssl-certificate-theft/

Coverage by _Wired's_ 'Threat Level' news-column:
http://www.wired.com/threatlevel/2011/03/comodo-compromise/

The 'Global Trustee' cert was an interesting detail.  This was an SSL
cert using an identifying phrase often claimed for itself by ICANN
and by the various operators of the root DNS nameservers.  However,
nobody's yet given enough detail (that I've found in a few minutes of 
reading, anyway) to do further meaningful analysis.

It should be noted that exploiting the ability to make impersonations of 
popular Web sites SSL-validate would require controlling the user's
DNS infrastructure.

Which helps underlie one of my other frequent points:  Control your own
DNS infrastructure through the simple expedient of running a local 
recursive nameserver, and using it instead of the usual
any-old-service-somewhere-I-don't-know-where.