Comodo again

20 views
Skip to first unread message

Jan Schejbal

unread,
May 25, 2011, 10:21:34 AM5/25/11
to mozilla-dev-s...@lists.mozilla.org
Hi,
seems another Comodo reseller has not taken security too seriously:
http://pastebin.com/F5nUf5kr and http://pastebin.com/9qwdL1pA

Looks like it does NOT affect certificate issuance directly, though.

Kind regards,
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...

Peter Gutmann

unread,
May 25, 2011, 11:28:58 AM5/25/11
to jan.sche...@gmx.de, mozilla-dev-s...@lists.mozilla.org
Jan Schejbal <jan.sche...@gmx.de> writes:

>seems another Comodo reseller has not taken security too seriously:
>http://pastebin.com/F5nUf5kr and http://pastebin.com/9qwdL1pA
>
>Looks like it does NOT affect certificate issuance directly, though.

Could this have been exploited in any way to obtain certs, or is it just an
egg-on-face thing?

Peter.

Eddy Nigg

unread,
May 25, 2011, 11:48:38 AM5/25/11
to mozilla-dev-s...@lists.mozilla.org
On 05/25/2011 06:28 PM, From Peter Gutmann:

> Could this have been exploited in any way to obtain certs, or is it just an
> egg-on-face thing?

Initially it seems the later - but probably at this stage it might be
possible to change the content in the DB, triggering the issuance of a
certificate for a different subject than actually validated.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Reply all
Reply to author
Forward
0 new messages