On 23/12/08 22:25, Eddy Nigg wrote:
On 12/23/2008 11:12 PM, Ian G:
Earlier, Frank used the language of "clear and present danger."
* clear: we can measure the costs of it, and cost of defences.
* present: it is happening today, provably.
* danger: it can be shown capable of doing damage, at least in theory
Only the last one is shown. It is a danger in that anyone relying on a
cert wrongly issued could be harmed. But it hasn't actually caused
anyone damages, and nobody has shown it to exist.
The first and second are valid as well. We can measure the costs, can't we?
First point: Who lost money? What are the damages?
You don't count, or more precisely, the money you spent getting the cert
doesn't count; sorry about that :)
The second item shows that it can be happening today, you don't have to
prove it, because I did already.
Yes, it's an "exploit" not a "breach".
This is a breach, this proves certs are proved to use bad stuff:
http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx
Indeed, some stats to underscore *presence* ...
"In the first six months of 2008, the MMPC received reports of 22M
instances of distinct malware files, of which about 173,000 were
distinct malware files with code signatures. Of this malware with code
signatures, about 38,000 were not validly code signed, so approximately
*135,000 validly signed malware files* were reported to Microsoft.
Approximately 0.6% of detected malware were validly code signed."
But they don't go far not enough to show the first point. (You might
validly ask why Microsoft did not go that far, and deny us the clarity
in dealing with this situation! Another subject, another day!)
The fact that I disclosed publicly
about it doesn't mean that there aren't scores of others out there.
It doesn't mean there aren't and it doesn't mean there are. On the
basis of a reasonable judgement, given the info we have today, there
aren't. Also, by the same logic, there aren't any mice in your
computer, even though you looked yesterday.
Which isn't to say that it won't change tomorrow. Security work is done
with facts, because attackers will use your conjectures against you.
Considering the aggressive and illegal mailing campaign they operated,
one can expect that there are many certificates issued in this way.
Sure. All highly targeted to existing owners of SSL certs ... who
surprise, surprise, didn't notice that there was no validation :)
What damages are likely here, to the targeted users? Are there any
"non-targeted users" ?
This situation is about as harmful as the average exploit demo. In this
particular case it was caught by an insider rather than by an outsider.
However, beyond that, the situation is already sealed in that Comodo
have already taken the urgent triage steps to make sure nobody else gets
one.
Well, that's exactly the point! I haven't heard back from Robin anymore,
their site is still online as well.Clear statements about how many
certificates are affected (all of the ones issued through them) and
revocations (or at least urgent re-validation within 48 hours and
thereafter revocation) would be satisfactory maybe.
The handling of the situation is insufficient, response and measures are
a joke, communication doesn't exist.
Right. Over to Comodo. It's their job, let them do it. Any statements
you desire to them should tie into some criteria, practice or policy.
Apparently this resellers business
was too good for Comodo.
Well, concerns on the concept of resellers have been raised before.
This becomes a case in point, which should perhaps allow us to
re-address the issue.
But, CAs issue bad certs, that's a fact, so we can't damn them entirely.
Also, it's their job to deal with it. Adding a lynching party helps
no-one.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
