[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)
rick at linuxmafia.com
Thu Sep 8 18:35:23 PDT 2011
The two sites' SSL certs Adrien was talking about
He was saying they 'have Google Ltd. as their organization names' as
viewed in his browser.
Calling up https://login.yahoo.com/ and getting Page Info, I see:
Common Name (CN): login.yahoo.com
Organization (O): Yahoo! Inc.
Organizational Unit (OU): <Not Part Of Certificate>
Common Name (CN): DigiCert High Assurance CA-3
Organization (O): DigiCert, Inc.
Organizational Unit (OU): www.digicert.com
Issued On: 12/20/2010
Expires On: 01/03/2013
SHA1 Fingerprint: 89:0C:0C:65:87:30:4C:43:75:20:B4:81:AA:7B:CC:F2:EE:15:19:54
MD5 Fingerprint: 75:4A:A4:87:70:53:70:5D:4D:1D:15:54:18:3C:FE:EC
Getting 'Details' on that shows the cert as being signed by DigiCert
High Assurance CA-A, which in turn is attested by DigiCert High
Assurance EV Root CA, which in turn is attested by GTE CyberTrest Global
Root, operated by GTE CyberTrust Solutions, Inc.
I have CertWatch installed and operating. CertWatch didn't trigger on
my visit to that URL because for some reason it'd seen that chain of
Calling up https://login.skype.com/ and getting Page Info, I see:
Common Name (CN): *.skype.com
Organization (O): Skype Technologies SA
Organizational Unit (OU): Information Security
Common Name (CN): GlobalSign Organization Validation CA
Organization (O): GlobalSign
Organizational Unit (OU): Organization Validation CA
Issued On: 03/16/2011
Expires On: 03/16/2012
SHA1 Fingerprint: 17:21:4B:D1:D2:87:E6:E3:BF:1A:1B:4F:96:D8:B2:70:FF:CE:CB:B6
CertWatch _did_ trigger on that site, because I'd not encountered those
I do not see any 'Google Ltd.'
So, in short, I simply did not see the data that Adrien saw popped up by
CertWatch in his own browser. The reason is: I blanket-revoked my
browser's trust in Comodo, after their screw-up of several months ago.
The bogus SSL certificate attestations Adrien saw were (I believe) both
from Comodo's subsidiary Usertrust Network.
Adrien's report about login.skype.com had, in part:
Common Name (CN): login.skype.com
Organization (O): Google, Ltd.
Organizational Unit (OU): Tech Dept.
Serial Number: 00:E9:02:8B:95:78:E4:15:DC:1A:71:0A:2B:88:15:44:47
Common Name (CN): UTN-UserFirst-Hardware
Organization (O): The USERTRUST Network
Organizational Unit (OU): http://www.usertrust.com/
Issued On: 3/14/11
Expires On: 3/14/14
[omitted; it suffices that these are rubbish]
It's important to note that this was part of the well-known Comodo
screwup of a few months ago. Those cert signatures were revoked and
everyone sent out new browser versions that marked those signatures as
not to be trusted. I suspect that, if Adrien selects "Edit Trust' for
that signature, he will see: 'Do not trust the authenticity of
this certificate'. This is now Firefox works: If you say something in
the chain of SSL certs to intermediate certs to root certs should be
removed, it doesn't _literally_ remove them. It merely marks that thing
as to be disregarded.
When I say I _believe_ that Adrien's report about a bogus cert for
login.yahoo.com was also from Comodo, what I mean is: Adrien sent me
something about that with a screenshot attached. I read the message but
didn't pay any attention to the screenshot, and then discarded the
message. I'm able to accurately describe what he saw concerning
login.skype.com only because of some follow-up analysis from Deirdre.
(If you send me screenshots, I will usually throw them away. Meaningful
information is generally best supplied in the form of relevant
More information about the conspire