Compromised Comodo SSL certificates put users at risk
Bug #741528 reported by
Mirsal Ennaime
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Fix Released
|
Medium
|
|||
firefox (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Micah Gersten | ||
Maverick |
Fix Released
|
Medium
|
Micah Gersten | ||
firefox-3.0 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Medium
|
Micah Gersten | ||
Karmic |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
firefox-3.5 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Medium
|
Micah Gersten | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: firefox
Please see: https:/
And: http://
description: | updated |
Changed in firefox (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in firefox-3.0 (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in firefox-3.5 (Ubuntu): | |
status: | New → Invalid |
Changed in firefox (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in firefox-3.5 (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in firefox-3.5 (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in firefox-3.5 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in firefox: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
summary: |
- Compromised Comodo SSL certificates puts users at risk + Compromised Comodo SSL certificates put users at risk |
Created attachment 519860
Bad certs (text dumps) zipped
According to mail from Comodo to the security alias "A long-term trusted partner of Comodo which has an RA function suffered an internal security breach and the attacker caused 7 certificates to be issued." The bogus certs were revoked within hours.
Unfortunately there are scenarios where the MITM can prevent the victim from contacting the OSCP responder and the certs will continue to be trusted. Given the high profile of the sites involved (including our own addons.mozilla.org) we should explicitly disable these certs if we can.
The CNs involved are
addons.mozilla.org
login.live.com
mail.google.com
www.google.com
login.yahoo.com
login.skype.com
global trustee
Can they be added as untrusted to the built-in certificate store, or does that only work for signing certificates? Can we ship a CRL containing these certs?