[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

Ehud Kaldor ehud.kaldor at gmail.com
Thu Sep 8 21:16:53 PDT 2011


I have another explanation that might work, which I have experienced:
My work place does that. I noticed a few months ago, when FF was started
complaining about mismatch in cert, that although it is a cert for the given
site, the issuer is... my work place. I figured this is probably some
corporation protection spying thingie, which allows the interceptor gateway
to read my encrypted communication. And one thing I don't want is
corporation IT to be able to see my banking transmissions or even my
searches. So, don't use these sites at work.

If you work at Google, it would explain the issuer. I would also check
connection with a different provider (home network, coffee place) to see if
you get a different cert.

Thank you,
Ehud
On Sep 8, 2011 8:54 PM, "Adrien Lamothe" <alamozzz at yahoo.com> wrote:
> Right. So what I was seeing, apparently, was CertWatch telling me those
certs had been marked as bad, only it wasn't apparent that was what it was
saying.
>
>
>
> ________________________________
> From: Rick Moen <rick at linuxmafia.com>
> To: conspire at linuxmafia.com
> Sent: Thursday, September 8, 2011 6:35 PM
> Subject: [conspire] Comodo-signed bogosity (was: DigiNotar Damage
Disclosure)
>
> The two sites' SSL certs Adrien was talking about
> (http://linuxmafia.com/pipermail/conspire/2011-September/006596.html)
> were:
>
> login.yahoo.com
> login.skype.com
>
> He was saying they 'have Google Ltd. as their organization names' as
> viewed in his browser.
>
> Calling up https://login.yahoo.com/ and getting Page Info, I see:
>
>
> Issued To:
>
> Common Name (CN):  login.yahoo.com
> Organization (O):  Yahoo! Inc.
> Organizational Unit (OU):  <Not Part Of Certificate>
>
> Issued By:
> Common Name (CN): DigiCert High Assurance CA-3
> Organization (O): DigiCert, Inc.
> Organizational Unit (OU): www.digicert.com
>
> Validity:
> Issued On: 12/20/2010
> Expires On:  01/03/2013
>
> Fingerprints:
> SHA1 Fingerprint:
89:0C:0C:65:87:30:4C:43:75:20:B4:81:AA:7B:CC:F2:EE:15:19:54
> MD5 Fingerprint:  75:4A:A4:87:70:53:70:5D:4D:1D:15:54:18:3C:FE:EC
>
>
> Getting 'Details' on that shows the cert as being signed by DigiCert
> High Assurance CA-A, which in turn is attested by DigiCert High
> Assurance EV Root CA, which in turn is attested by GTE CyberTrest Global
> Root, operated by GTE CyberTrust Solutions, Inc.
>
>
> I have CertWatch installed and operating.  CertWatch didn't trigger on
> my visit to that URL because for some reason it'd seen that chain of
> stuff before.
>
>
> Calling up https://login.skype.com/ and getting Page Info, I see:
>
>
> Issued To:
> Common Name (CN): *.skype.com
> Organization (O):  Skype Technologies SA
> Organizational Unit (OU):  Information Security
> Serial: 01:00:00:00:01:2E:BE:AA:C9:F8
>
> Issued By:
> Common Name (CN): GlobalSign Organization Validation CA
> Organization (O): GlobalSign
> Organizational Unit (OU): Organization Validation CA
>
> Validity:
> Issued On: 03/16/2011
> Expires On:  03/16/2012
>
> Fingerprints:
> SHA1 Fingerprint:
17:21:4B:D1:D2:87:E6:E3:BF:1A:1B:4F:96:D8:B2:70:FF:CE:CB:B6
>
>
> CertWatch _did_ trigger on that site, because I'd not encountered those
> before.
>
> I do not see any 'Google Ltd.'
>
>
> So, in short, I simply did not see the data that Adrien saw popped up by
> CertWatch in his own browser.  The reason is:  I blanket-revoked my
> browser's trust in Comodo, after their screw-up of several months ago.
> The bogus SSL certificate attestations Adrien saw were (I believe) both
> from Comodo's subsidiary Usertrust Network.
>
> Adrien's report about login.skype.com had, in part:
>
> Issued To:
> Common Name (CN): login.skype.com
> Organization (O): Google, Ltd.
> Organizational Unit (OU): Tech Dept.
> Serial Number: 00:E9:02:8B:95:78:E4:15:DC:1A:71:0A:2B:88:15:44:47
>
> Issued By:
> Common Name (CN): UTN-UserFirst-Hardware
> Organization (O): The USERTRUST Network
> Organizational Unit (OU): http://www.usertrust.com/
>
> Validity:
> Issued On: 3/14/11
> Expires On:  3/14/14
>
> Fingerprints:
> [omitted; it suffices that these are rubbish]
>
>
> It's important to note that this was part of the well-known Comodo
> screwup of a few months ago.  Those cert signatures were revoked and
> everyone sent out new browser versions that marked those signatures as
> not to be trusted.  I suspect that, if Adrien selects "Edit Trust' for
> that signature, he will see:  'Do not trust the authenticity of
> this certificate'.  This is now Firefox works:  If you say something in
> the chain of SSL certs to intermediate certs to root certs should be
> removed, it doesn't _literally_ remove them.  It merely marks that thing
> as to be disregarded.
>
>
> When I say I _believe_ that Adrien's report about a bogus cert for
> login.yahoo.com was also from Comodo, what I mean is:  Adrien sent me
> something about that with a screenshot attached.  I read the message but
> didn't pay any attention to the screenshot, and then discarded the
> message.  I'm able to accurately describe what he saw concerning
> login.skype.com only because of some follow-up analysis from Deirdre.
>
> (If you send me screenshots, I will usually throw them away.  Meaningful
> information is generally best supplied in the form of relevant
> plaintext.)
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20110908/32b578f5/attachment.html>


More information about the conspire mailing list