Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Comodo again

20 views

Skip to first unread message

Jan Schejbal

unread,

May 25, 2011, 10:21:34 AM5/25/11

to mozilla-dev-s...@lists.mozilla.org

Hi,
seems another Comodo reseller has not taken security too seriously:
http://pastebin.com/F5nUf5kr and http://pastebin.com/9qwdL1pA

Looks like it does NOT affect certificate issuance directly, though.

Kind regards,
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...

Peter Gutmann

unread,

May 25, 2011, 11:28:58 AM5/25/11

to jan.sche...@gmx.de, mozilla-dev-s...@lists.mozilla.org

Jan Schejbal <jan.sche...@gmx.de> writes:

>seems another Comodo reseller has not taken security too seriously:
>http://pastebin.com/F5nUf5kr and http://pastebin.com/9qwdL1pA
>
>Looks like it does NOT affect certificate issuance directly, though.

Could this have been exploited in any way to obtain certs, or is it just an
egg-on-face thing?

Peter.

Eddy Nigg

unread,

May 25, 2011, 11:48:38 AM5/25/11

to mozilla-dev-s...@lists.mozilla.org

On 05/25/2011 06:28 PM, From Peter Gutmann:

> Could this have been exploited in any way to obtain certs, or is it just an
> egg-on-face thing?

Initially it seems the later - but probably at this stage it might be
possible to change the content in the DB, triggering the issuance of a
certificate for a different subject than actually validated.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

0 new messages