<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Right. So what I was seeing, apparently, was CertWatch telling me those certs had been marked as bad, only it wasn't apparent that was what it was saying.</span></div><div><span><br></span></div><div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Arial" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Rick Moen <rick@linuxmafia.com><br><b><span style="font-weight: bold;">To:</span></b> conspire@linuxmafia.com<br><b><span style="font-weight: bold;">Sent:</span></b> Thursday, September 8, 2011 6:35 PM<br><b><span style="font-weight: bold;">Subject:</span></b> [conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)<br></font><br>The two sites'
SSL certs Adrien was talking about<br>(<a href="http://linuxmafia.com/pipermail/conspire/2011-September/006596.html" target="_blank">http://linuxmafia.com/pipermail/conspire/2011-September/006596.html</a>) <br>were:<br><br>login.yahoo.com<br>login.skype.com<br><br>He was saying they 'have Google Ltd. as their organization names' as<br>viewed in his browser.<br><br>Calling up <a href="https://login.yahoo.com/" target="_blank">https://login.yahoo.com/</a> and getting Page Info, I see:<br><br><br>Issued To:<br><br>Common Name (CN): login.yahoo.com<br>Organization (O): Yahoo! Inc.<br>Organizational Unit (OU): <Not Part Of Certificate><br><br>Issued By:<br>Common Name (CN): DigiCert High Assurance CA-3<br>Organization (O): DigiCert, Inc.<br>Organizational Unit (OU): www.digicert.com<br><br>Validity:<br>Issued On: 12/20/2010<br>Expires On: 01/03/2013<br><br>Fingerprints:<br>SHA1 Fingerprint:
89:0C:0C:65:87:30:4C:43:75:20:B4:81:AA:7B:CC:F2:EE:15:19:54<br>MD5 Fingerprint: 75:4A:A4:87:70:53:70:5D:4D:1D:15:54:18:3C:FE:EC<br><br><br>Getting 'Details' on that shows the cert as being signed by DigiCert<br>High Assurance CA-A, which in turn is attested by DigiCert High<br>Assurance EV Root CA, which in turn is attested by GTE CyberTrest Global<br>Root, operated by GTE CyberTrust Solutions, Inc.<br><br><br>I have CertWatch installed and operating. CertWatch didn't trigger on<br>my visit to that URL because for some reason it'd seen that chain of<br>stuff before.<br><br><br>Calling up <a href="https://login.skype.com/" target="_blank">https://login.skype.com/</a> and getting Page Info, I see:<br><br><br>Issued To:<br>Common Name (CN): *.skype.com<br>Organization (O): Skype Technologies SA<br>Organizational Unit (OU): Information Security<br>Serial: 01:00:00:00:01:2E:BE:AA:C9:F8<br><br>Issued By:<br>Common Name (CN): GlobalSign
Organization Validation CA<br>Organization (O): GlobalSign<br>Organizational Unit (OU): Organization Validation CA<br><br>Validity:<br>Issued On: 03/16/2011<br>Expires On: 03/16/2012<br><br>Fingerprints:<br>SHA1 Fingerprint: 17:21:4B:D1:D2:87:E6:E3:BF:1A:1B:4F:96:D8:B2:70:FF:CE:CB:B6<br> <br><br>CertWatch _did_ trigger on that site, because I'd not encountered those<br>before.<br><br>I do not see any 'Google Ltd.'<br><br><br>So, in short, I simply did not see the data that Adrien saw popped up by<br>CertWatch in his own browser. The reason is: I blanket-revoked my<br>browser's trust in Comodo, after their screw-up of several months ago.<br>The bogus SSL certificate attestations Adrien saw were (I believe) both<br>from Comodo's subsidiary Usertrust Network.<br><br>Adrien's report about login.skype.com had, in part:<br><br>Issued To:<br>Common Name (CN): login.skype.com<br>Organization (O): Google, Ltd.<br>Organizational Unit (OU): Tech
Dept.<br>Serial Number: 00:E9:02:8B:95:78:E4:15:DC:1A:71:0A:2B:88:15:44:47<br><br>Issued By:<br>Common Name (CN): UTN-UserFirst-Hardware<br>Organization (O): The USERTRUST Network<br>Organizational Unit (OU): <a href="http://www.usertrust.com/" target="_blank">http://www.usertrust.com/</a><br><br>Validity:<br>Issued On: 3/14/11<br>Expires On: 3/14/14<br><br>Fingerprints:<br>[omitted; it suffices that these are rubbish]<br><br><br>It's important to note that this was part of the well-known Comodo<br>screwup of a few months ago. Those cert signatures were revoked and <br>everyone sent out new browser versions that marked those signatures as<br>not to be trusted. I suspect that, if Adrien selects "Edit Trust' for<br>that signature, he will see: 'Do not trust the authenticity of<br>this certificate'. This is now Firefox works: If you say something in<br>the chain of SSL certs to intermediate certs to root certs should
be<br>removed, it doesn't _literally_ remove them. It merely marks that thing<br>as to be disregarded.<br><br><br>When I say I _believe_ that Adrien's report about a bogus cert for<br>login.yahoo.com was also from Comodo, what I mean is: Adrien sent me<br>something about that with a screenshot attached. I read the message but<br>didn't pay any attention to the screenshot, and then discarded the<br>message. I'm able to accurately describe what he saw concerning<br>login.skype.com only because of some follow-up analysis from Deirdre.<br><br>(If you send me screenshots, I will usually throw them away. Meaningful<br>information is generally best supplied in the form of relevant<br>plaintext.)<br><br><br>_______________________________________________<br>conspire mailing list<br><a ymailto="mailto:conspire@linuxmafia.com" href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br><a
href="http://linuxmafia.com/mailman/listinfo/conspire" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br><br><br></div></div></div></body></html>