{"id":495,"date":"2008-12-23T23:55:34","date_gmt":"2008-12-23T22:55:34","guid":{"rendered":"http:\/\/daniel.haxx.se\/blog\/?p=495"},"modified":"2008-12-24T00:42:54","modified_gmt":"2008-12-23T23:42:54","slug":"ssl-certs-crash-without-trust","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2008\/12\/23\/ssl-certs-crash-without-trust\/","title":{"rendered":"SSL certs crash without trust"},"content":{"rendered":"

Eddy Nigg found out and blogged<\/a> about how he could buy SSL certificates for a domain he clearly doesn’t own nor control. The cert is certified by Comodo<\/a> who apparently has outsourced (parts of) there cert business to a separate company who obviously does very little or perhaps no verification at all of the buyers.<\/p>\n

As a result, buyers could buy certificates from there for just about any domain\/site name, and Comodo being a trusted CA<\/a> in at least Firefox<\/a> would thus make it a lot<\/strong> easier for phishers and other cyber-style criminals to setup fraudulent sites that even get the padlock in Firefox and looks almost perfectly legitimate!<\/p>\n

The question is now what Mozilla should do. What Firefox users should expect their browser to do when HTTPS sites use Comodo-verified certs and how Comodo and their resellers are going to deal with everything…<\/p>\n

Read the scary thread on the mozilla dev-tech-crypto<\/a> list.<\/p>\n

Update<\/strong>: if you’re on the paranoid\/safe side you can disable trusting their certificates<\/a> by doing this:<\/p>\n

Select Preferences -> Advanced -> View Certificates -> Authorities. Search for
\nAddTrust AB -> AddTrust External CA Root and click “Edit”. Remove all Flags.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

Eddy Nigg found out and blogged about how he could buy SSL certificates for a domain he clearly doesn’t own nor control. The cert is certified by Comodo who apparently has outsourced (parts of) there cert business to a separate company who obviously does very little or perhaps no verification at all of the buyers. … Continue reading SSL certs crash without trust<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,5,6,133],"tags":[86,425,44,428,43],"class_list":["post-495","post","type-post","status-publish","format-standard","hentry","category-development","category-it-politics","category-floss","category-security","tag-firefox","tag-mozilla","tag-nss","tag-security","tag-ssl"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=495"}],"version-history":[{"count":0,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/495\/revisions"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}