Eddy Nigg found out and blogged about how he could buy SSL certificates for a domain he clearly doesn't own nor control. The cert is certified by Comodo who apparently has outsourced (parts of) there cert business to a separate company who obviously does very little or perhaps no verification at all of the buyers.
As a result, buyers could buy certificates from there for just about any domain/site name, and Comodo being a trusted CA in at least Firefox would thus make it a lot easier for phishers and other cyber-style criminals to setup fraudulent sites that even get the padlock in Firefox and looks almost perfectly legitimate!
The question is now what Mozilla should do. What Firefox users should expect their browser to do when HTTPS sites use Comodo-verified certs and how Comodo and their resellers are going to deal with everything...
Read the scary thread on the mozilla dev-tech-crypto list.
Update: if you're on the paranoid/safe side you can disable trusting their certificates by doing this:
Select Preferences -> Advanced -> View Certificates -> Authorities. Search for
AddTrust AB -> AddTrust External CA Root and click "Edit". Remove all Flags.
I won't be joining the attempted world record of Firefox downloads on the release day June 17th 2008 since I dist-upgraded my Debian unstable just a few days ago and I got my Firef... eh Iceweasel version 3 then.
Of course, others have also noted that Firefox will miss a few Linux users downloading that version as Linux users all over will prefer to get it using their distros' ordinary means of getting packages and updates...
I noticed the new site publicsuffix.org that has been setup by the mozilla organization in an attempt to list public suffixes for all TLDs in the world, to basically know how to prevent sites from setting cookies that would span over just about all sites under that "public suffix".
There's no word on the site if IE or Opera etc are going to join this effort.
Update: there are several people expressing doubts about the virtues of this idea. Like Patrik FÃ¤ltstrÃ¶m on DNSOP.