Broken SSL Trust
When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].
Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn't the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You're no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).
If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it's a Comodo affiliate that's screwed up (there's no other way of describing this), but what are the chances that some of those trusted 100+ CA's make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.
By the way, if you're using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn't know.... You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.
Reader Comments