[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

Adrien Lamothe alamozzz at yahoo.com
Thu Sep 8 20:53:38 PDT 2011

Right. So what I was seeing, apparently, was CertWatch telling me those certs had been marked as bad, only it wasn't apparent that was what it was saying.

From: Rick Moen <rick at linuxmafia.com>
To: conspire at linuxmafia.com
Sent: Thursday, September 8, 2011 6:35 PM
Subject: [conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

The two sites' SSL certs Adrien was talking about


He was saying they 'have Google Ltd. as their organization names' as
viewed in his browser.

Calling up https://login.yahoo.com/ and getting Page Info, I see:

Issued To:

Common Name (CN):  login.yahoo.com
Organization (O):  Yahoo! Inc.
Organizational Unit (OU):  <Not Part Of Certificate>

Issued By:
Common Name (CN): DigiCert High Assurance CA-3
Organization (O): DigiCert, Inc.
Organizational Unit (OU): www.digicert.com

Issued On: 12/20/2010
Expires On:  01/03/2013

SHA1 Fingerprint:  89:0C:0C:65:87:30:4C:43:75:20:B4:81:AA:7B:CC:F2:EE:15:19:54
MD5 Fingerprint:  75:4A:A4:87:70:53:70:5D:4D:1D:15:54:18:3C:FE:EC

Getting 'Details' on that shows the cert as being signed by DigiCert
High Assurance CA-A, which in turn is attested by DigiCert High
Assurance EV Root CA, which in turn is attested by GTE CyberTrest Global
Root, operated by GTE CyberTrust Solutions, Inc.

I have CertWatch installed and operating.  CertWatch didn't trigger on
my visit to that URL because for some reason it'd seen that chain of
stuff before.

Calling up https://login.skype.com/ and getting Page Info, I see:

Issued To:
Common Name (CN): *.skype.com
Organization (O):  Skype Technologies SA
Organizational Unit (OU):  Information Security
Serial: 01:00:00:00:01:2E:BE:AA:C9:F8

Issued By:
Common Name (CN): GlobalSign Organization Validation CA
Organization (O): GlobalSign
Organizational Unit (OU): Organization Validation CA

Issued On: 03/16/2011
Expires On:  03/16/2012

SHA1 Fingerprint: 17:21:4B:D1:D2:87:E6:E3:BF:1A:1B:4F:96:D8:B2:70:FF:CE:CB:B6

CertWatch _did_ trigger on that site, because I'd not encountered those

I do not see any 'Google Ltd.'

So, in short, I simply did not see the data that Adrien saw popped up by
CertWatch in his own browser.  The reason is:  I blanket-revoked my
browser's trust in Comodo, after their screw-up of several months ago.
The bogus SSL certificate attestations Adrien saw were (I believe) both
from Comodo's subsidiary Usertrust Network.

Adrien's report about login.skype.com had, in part:

Issued To:
Common Name (CN): login.skype.com
Organization (O): Google, Ltd.
Organizational Unit (OU): Tech Dept.
Serial Number: 00:E9:02:8B:95:78:E4:15:DC:1A:71:0A:2B:88:15:44:47

Issued By:
Common Name (CN): UTN-UserFirst-Hardware
Organization (O): The USERTRUST Network
Organizational Unit (OU): http://www.usertrust.com/

Issued On: 3/14/11
Expires On:  3/14/14

[omitted; it suffices that these are rubbish]

It's important to note that this was part of the well-known Comodo
screwup of a few months ago.  Those cert signatures were revoked and 
everyone sent out new browser versions that marked those signatures as
not to be trusted.  I suspect that, if Adrien selects "Edit Trust' for
that signature, he will see:  'Do not trust the authenticity of
this certificate'.  This is now Firefox works:  If you say something in
the chain of SSL certs to intermediate certs to root certs should be
removed, it doesn't _literally_ remove them.  It merely marks that thing
as to be disregarded.

When I say I _believe_ that Adrien's report about a bogus cert for
login.yahoo.com was also from Comodo, what I mean is:  Adrien sent me
something about that with a screenshot attached.  I read the message but
didn't pay any attention to the screenshot, and then discarded the
message.  I'm able to accurately describe what he saw concerning
login.skype.com only because of some follow-up analysis from Deirdre.

(If you send me screenshots, I will usually throw them away.  Meaningful
information is generally best supplied in the form of relevant

conspire mailing list
conspire at linuxmafia.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20110908/d7a58972/attachment.html>

More information about the conspire mailing list