Facts about Comodo Resellers and RAs
Eddy Nigg
I'm going to provide more information and try to summarize the recent
event(s). Nevertheless I wish to everybody happy Hanukkah and Xmas.
Hereby the facts about Comodo and recent events:
- Registration Authority (RA) of Comodo operates a robot to search for
SSL secured sites.
- Same RA sends email messages to the owners of those sites, by
pretending that the site owner has to renew the certificate with them
(spam + misleading).
- Same RA ignores complaints, so does Comodo (at least initially).
- Same RA issues domain control validated certificates without validating.
- Comodo fails to have sufficient controls in place to prevent such
issuance.
- Comodo fails to have controls in place to prevent issuance of
high-profile targets (like Mozilla, Microsoft, Paypal, etc.)
- Comodo fails to (self) audit the facilities of the RA and its
implementations.
- Comodo maintains many RAs and Resellers.
Additionally I received testimonials and evidences [1] that resellers
(apparently mainly hosting providers) don't use a central domain
validation utility or checks, instead there is a confirmation checkbox.
Comodo delays the issuance of some of the certificates which it receives
from resellers. According to the testimonial, they compare the data
submitted with the WHOIS records on these spot checks. No email ping or
web site modification check is performed to retain evidence about domain
control by the requesting party (or authorization thereof). With this we
can assume that
- Comodo does not perform domain control validation.
- Comodo has not sufficient controls in place to prevent issuance of
fraudulent certificates by resellers and RAs.
- Comodo issued unvalidated server certificates (according to their own
accounts and myself). Such certificates may be still valid and in the wild.
- Comodo fails to conform to the Mozilla CA Policy in various accounts.
I have received also testimonials that Mozilla and Microsoft received
previously complaints and evidences about the business practices of
Comodo. I'm not aware which specific actions were taken back then.
However I'm quoting Frank Hecker's summary after the "inclusion"
discussion of Comodo from April 08,
"...discussions around various Comodo-related issues, most notably the
wildcard DV cert issue and the long-lived DV cert issue. Although I
acknowledge that there were/are valid concerns associated with those
issues...",
which were concerns raised by myself back then. Unfortunately the
failures by Comodo listed above and their issuance policy for
long-living low-assurance and wild card certificates makes it even
worse. In light of the recent events and in light of the collective
potential damage to all certification authorities which those events may
have caused, and in light of the potential damage to relying parties, I
request immediate and appropriate actions by Mozilla and other browser
vendors. I also request from Comodo to urgently review their practices,
implementations and controls in place and take appropriate actions.
[1] As I'm writing this mail, I'm receiving more evidences, testimonials
and phone calls by people in the knowledge. I'll present all the
material to Frank once he gets in touch with me.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
Paul C. Bryan
infrastructure, but you have to see that being a competitor to Comodo
puts you in a perceived conflict of interest here. Is there no one you
could put your contact(s) in touch with that is in a more neutral
position to evaluate this issue and inform the community?
Eddy Nigg
Paul, I have been active here for some time already. I'm providing my
knowledge and experience to Mozilla and the community, which might be
specially interesting, because I know more than many. I see the
potential issues from various different sides. I have maintained my
loyalty to Mozilla which doesn't have to be in conflict with any other
interests I may have. And my interest is to maintain an even level of
PKI security in the browser for the good of all of us.
Having said that, neither myself nor the company I run have gained
financially from this - currently it seems that all CAs have taken
damage. Reckless behavior is ruining our businesses, the trust we try to
build and the strengthening of Internet security at large is put into
jeopardy. It is my duty to prevent that if possible.
There is no conflict of interest even if the result of my involvement
would put a competitor out of business - it's their failure not mine.
And with it, they risk the reputation and security of Mozilla and all
relying parties which depend on it.
Unfortunately many others which are in the known haven't come forward
for unknown reasons. I'd be more than glad if they did. But would you
prefer if I'd put a middle-man in front of myself? Would you prefer that
I've sorted it out with Comodo directly? The personal gain could have
been much higher perhaps.
Rest be assured, that not I'm making any final decisions at Mozilla.
Frank Hecker who is currently responsible, knows me well enough and has
the knowledge about this subject. He will make the ultimate decision
about which actions to take. In this specific case I'm the messenger and
reporter, but also others have already made their call for action here
at dev.tech.crypto.
At last, this and other issues concerns all of us - many million users
depend on the work we are doing here and elsewhere. I have nothing to
hide, I openly disclose my affiliation (see my signature) upfront. I
always did. I'm active and involved at different open source and open
standards projects, maintain connection with major organizations
throughout the world. I'm certain that my contributions and expertise
are usually valued.
Thank you for your time!
Eddy Nigg
> I have received also testimonials that Mozilla and Microsoft received
> previously complaints and evidences about the business practices of
> Comodo. I'm not aware which specific actions were taken back then.
I have to make a small correction about this statement. The complaints
and evidences mentioned above are not recent and in severity of a lower
extend than recent events. Thanks.
Eddy Nigg
1.10.2 Web Host Reseller Partners
Through a “front-end” referred to as the “Management Area”, the Web Host
*Reseller* Partner has access to the *RA* functionality including but
not limited to the issuance of Secure Server Certificates.... is
obliged to *conduct validation* in accordance with the validation
guidelines and agrees via an online process (checking the “I have
sufficiently validated this application” checkbox when applying for a
Certificate) that sufficient validation has taken place prior to issuing
a certificate.
This seems to be exactly in line with my comment [2] and the published
image [3]. If this is correct, than it is in direct conflict with
section 4.2.7 PositiveSSL and PositiveSSL Wildcard Secure Server
Certificates of this statement [4]:
To validate PositiveSSL and PositiveSSL Wildcard Secure Server
Certificates, *Comodo* checks that the Subscriber has control.....
....and the use of generic e-mails which ordinarily are only
available to person(s) controlling the domain name administration, for
example, webmaster@ . . ., postmaster@ . . ., admin@;
This basically means that Comodo outsources domain validation not only
to RAs but also to resellers. In addition, domain validation is
effectively circumvented and non-existent for such resellers. The mere
checking of the checkbox is the only requirement for the issuance of any
certificate. This is in my opinion insufficient and and undue risk!
Considering the size of Comodo's reseller and RA network (which I'm sure
makes up the biggest junk of their certificates issuance), it is
reasonable to assume that unvalidated certificates exist currently.
Additionally I want to point out that the CPS [4] explicitly states that
Comodo performs the validation, which however is not the case as we've
seen with certstar. Since I was reading this document during the review
period of Comodo this spring, I was fairly convinced that Comodo
performs those validations.
I request to receive further information about how exactly domain
control is validated and which controls Comodo has in place to prevent
fraudulent or mistaken issuance. Incidentally I've found discrepancy in
statements made by Robin as to the status of certstar in particular and
concerning domain validation in general.
[1]
http://www.comodo.com/repository/09_22_2006_Certification_Practice_Statement_v.3.0.pdf
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=470897#c27
[3] https://bugzilla.mozilla.org/attachment.cgi?id=354425
[4]
http://www.comodo.com/repository/PositiveSSL_addendum_to_the_Certification_Practice_Statement.pdf
lgn...@yahoo.com
financially from this - currently it seems that all CAs have taken
damage. Reckless behavior is ruining our businesses, the trust we try
to
build and the strengthening of Internet security at large is put into
jeopardy. It is my duty to prevent that if possible.
There is no conflict of interest even if the result of my involvement
would put a competitor out of business - it's their failure not mine.
And with it, they risk the reputation and security of Mozilla and all
relying parties which depend on it. "
Riiiight.
Couple of observations on all of this (having read most all of the
other original thread) as a disinterested observor (Full disclosure: I
used to resell SSL certs some time back).
1. You kid only your self if you think you have no appearance of
conflict of interest in this issue. You do, in spite of your wishing
not to. But you are not alone. The prior thread was in full dogpile
mode against Comodo by a few who seem to have some baggage against
them by the levels of reaction compared to the severity of the issue
and its corresponding triage by Comodo. IMHO
2. You would do well to reflect and consider whether or not the
complete commodization of domain validated certificates themselves,
both by their very nature (email validation of domain ownership. I
mean really now), as well as the pricing models employed by the
various competitors in the SSL field (yourself notable among them)
have not done more harm to the industry, or more specifically the
relative level of security, authority and credibility of SSL as a
security model, as perceived by users. Once one acknowledges that
being a CA is nothing more than a license to print money, subject to
independent operational audits, then you can have a meaningful
discussion on what 'security' your providing to a user. See EV
validation procedures and their corresponding pricing model, compared
to Organization Validated certs if you care to refute that statement.
Yes, I'm looking at you Verisign.
There is such a low barrier to entry for a Domain Validated
certificate even when the system works correctly. A couple of bucks to
register a domain name with GoDaddy, a couple more (or zero) dollars
to get an SSL cert, and any script kiddy worth his salt can now start
blasting out "Please login to your BOA savings account to reverify
your account info", and hope for a MITM opportunity to pop up on his
monitor, DV certs have next to zero credibility on ANY website that
purports to protect personal or financial info. You know that I'm
sure. There are tons MITM attacks sucessfully carried out every year
by crooks who have VALID DV certs on their fraud sites. How do you
think RSA sells so many handheld password tokens? Which begs the
question of why Mozilla needs to suddenly go into fire drill mode over
RA auditing practices with respect to Comodo. Its a joke.
3. I was a little taken aback at the surprise and shock expressed by
the resident experts that Comodo RA resellers do DV authentication (or
at least, are supposed to as part of their resale agreements). Is this
to imply that NONE of the other CAs that have wholesale agreements
with third party resellers allow a DV cert to be sold pending CA
relegated authentication directly? Are we that naive in 2009? Thawt?
Globalsign? Verisign? RapidSSL? GoDaddy? Surely Comodo is not the only
one out there that allows their resellers to perform initial DV cert
validation subject to CA audits. I can't prove it, but I'd bet $20,
the number of primary CAs who do is greater than 1. Someone, it
appears, has never taken a look at the Certification Practice
Statements of the various CA's I guess (to the extent that you can
find them all). I seem to recall that the RSA X.509 spec allows for
this type of subservient RA model as long as proper audit controls are
in place to maintain verification compliance.
In a nutshell, does anyone who declares himself an expert in the SSL
industry REALLY think this cause irreprerable harm to the other CAs?
Should Comodo tighten up on its audit procedures? Certainly looks that
way. But since any primary CA out there who does this probably only
does sample audits (are YOU going to pay KPMG their hourly to go
through every record out in the field? Not bloody likely), the
possibility still exists for that 'rogue' cert to skate by. If total
security is paramount, should not all CAs make sure third party
resellers validate all domains internally through them? Absolutely,
but be careful about the unintended consequences of what that would do
the internal costs to the CAs, and the subsequent knock on costs to
the channel. It might even raise the prices in the street a little if
they all did it at once, somehting positive! However if the X.509 spec
doesn't call for it, whos first in line to volunteer to implement it
for DV certs? Thats what you have OV and EV certs for, no? And
afterall, as all know, money is ultimately the reason in the SSL
community for the model you have. Security is like the old analogy
about getting race cars to go faster, theres always a way to improve
it, but its only limited by how much money you want to spend on it.
(fireproof suit - ON)
Mark
