[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

Rick Moen rick at linuxmafia.com
Fri Sep 9 13:32:10 PDT 2011

Quoting Adrien Lamothe (alamozzz at yahoo.com):

> Yes, looking at the screen shot I took, CertWatch was informing me
> that a new root certificate was found. 

Please note that 'found" in this case deoes not imply that CertWatch was
doing anything besides watching and commenting on the ongoing browser
activity.  You used Firefox to visit a site using https.  CertWatch
noted down the particulars of the arriving SSL cert data from the remote
Web site, checked its SQLite records about that SSL cert and all
matching attestations, and reported to you on all aspects of that matter
that were new-to-CertWatch.

> The Debian patches for actively distrusting the DigiNotar certs just
> hit Ubuntu.

And FYI, my recollection is that there have been two patches (to package
'nss' = Network Security Service).  The first one distrusted DigiNotar's
main series of certs but specifically exempted those done for the Dutch
government.  The second, five days later on Sept. 5th, 'disables
additional DigiNotar issuing certificates'.

You may also have a separate 'ca-certificates' package used for other
things, that likewise needs updating.

This week's _LWN_ has an article by Jake Edge where he points out that
there are other possibly-problematic certificate authorities, e.g.,
GlobalSign.  An anonymous Pastebin comment bragged, four days ago, about
subverting Comodo, DigiNotar, GlobalSign, and StartCom
(http://pastebin.com/1AxH30em).  Immediately after that, GlobalSign
ceased (at least for now) all new cert issuance.  Coincidence?

More information about the conspire mailing list