[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

Rick Moen rick at linuxmafia.com
Thu Sep 8 18:35:23 PDT 2011


The two sites' SSL certs Adrien was talking about
(http://linuxmafia.com/pipermail/conspire/2011-September/006596.html) 
were:

login.yahoo.com
login.skype.com

He was saying they 'have Google Ltd. as their organization names' as
viewed in his browser.

Calling up https://login.yahoo.com/ and getting Page Info, I see:


Issued To:

Common Name (CN):  login.yahoo.com
Organization (O):  Yahoo! Inc.
Organizational Unit (OU):  <Not Part Of Certificate>

Issued By:
Common Name (CN): DigiCert High Assurance CA-3
Organization (O): DigiCert, Inc.
Organizational Unit (OU): www.digicert.com

Validity:
Issued On: 12/20/2010
Expires On:  01/03/2013

Fingerprints:
SHA1 Fingerprint:  89:0C:0C:65:87:30:4C:43:75:20:B4:81:AA:7B:CC:F2:EE:15:19:54
MD5 Fingerprint:  75:4A:A4:87:70:53:70:5D:4D:1D:15:54:18:3C:FE:EC


Getting 'Details' on that shows the cert as being signed by DigiCert
High Assurance CA-A, which in turn is attested by DigiCert High
Assurance EV Root CA, which in turn is attested by GTE CyberTrest Global
Root, operated by GTE CyberTrust Solutions, Inc.


I have CertWatch installed and operating.  CertWatch didn't trigger on
my visit to that URL because for some reason it'd seen that chain of
stuff before.


Calling up https://login.skype.com/ and getting Page Info, I see:


Issued To:
Common Name (CN): *.skype.com
Organization (O):  Skype Technologies SA
Organizational Unit (OU):  Information Security
Serial: 01:00:00:00:01:2E:BE:AA:C9:F8

Issued By:
Common Name (CN): GlobalSign Organization Validation CA
Organization (O): GlobalSign
Organizational Unit (OU): Organization Validation CA

Validity:
Issued On: 03/16/2011
Expires On:  03/16/2012

Fingerprints:
SHA1 Fingerprint: 17:21:4B:D1:D2:87:E6:E3:BF:1A:1B:4F:96:D8:B2:70:FF:CE:CB:B6
 

CertWatch _did_ trigger on that site, because I'd not encountered those
before.

I do not see any 'Google Ltd.'


So, in short, I simply did not see the data that Adrien saw popped up by
CertWatch in his own browser.  The reason is:  I blanket-revoked my
browser's trust in Comodo, after their screw-up of several months ago.
The bogus SSL certificate attestations Adrien saw were (I believe) both
from Comodo's subsidiary Usertrust Network.

Adrien's report about login.skype.com had, in part:

Issued To:
Common Name (CN): login.skype.com
Organization (O): Google, Ltd.
Organizational Unit (OU): Tech Dept.
Serial Number: 00:E9:02:8B:95:78:E4:15:DC:1A:71:0A:2B:88:15:44:47

Issued By:
Common Name (CN): UTN-UserFirst-Hardware
Organization (O): The USERTRUST Network
Organizational Unit (OU): http://www.usertrust.com/

Validity:
Issued On: 3/14/11
Expires On:  3/14/14

Fingerprints:
[omitted; it suffices that these are rubbish]


It's important to note that this was part of the well-known Comodo
screwup of a few months ago.  Those cert signatures were revoked and 
everyone sent out new browser versions that marked those signatures as
not to be trusted.  I suspect that, if Adrien selects "Edit Trust' for
that signature, he will see:  'Do not trust the authenticity of
this certificate'.  This is now Firefox works:  If you say something in
the chain of SSL certs to intermediate certs to root certs should be
removed, it doesn't _literally_ remove them.  It merely marks that thing
as to be disregarded.


When I say I _believe_ that Adrien's report about a bogus cert for
login.yahoo.com was also from Comodo, what I mean is:  Adrien sent me
something about that with a screenshot attached.  I read the message but
didn't pay any attention to the screenshot, and then discarded the
message.  I'm able to accurately describe what he saw concerning
login.skype.com only because of some follow-up analysis from Deirdre.

(If you send me screenshots, I will usually throw them away.  Meaningful
information is generally best supplied in the form of relevant
plaintext.)





More information about the conspire mailing list