DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default SSL meltdown forces browser developers to update

From http://www.h-online.com/security/new...e-1213358.html

Quote:
According to Tor developer Jacob Appelbaum and a blog posting by the Mozilla Foundation, the Comodo SSL Certification Authority may have been compromised. As a consequence, criminals apparently obtained nine certificates for web sites that already existed, including addons.mozilla.org. There is no official statement on whether the situation was caused by insufficient checks during the certification process or by a breach of Comodo's infrastructure.

However, what initially appeared to be a problem for Comodo is now forcing browser developers to take counter measures and release updates. Otherwise, criminals could, for example, redirect users to a bogus Firefox plug-in page and offer them infected add-ons to install – as the page would possess a valid server certificate for addons.mozilla.org, users would be unaware, and Firefox wouldn't issue an alert. Similar attacks on online banking sites are also conceivable.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 24th March 2011
drhowarddrfine drhowarddrfine is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 377
Default

This was fixed in Firefox4 before it was shipped.
Reply With Quote
  #3   (View Single Post)  
Old 24th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

For the latest news see SSL meltdown: a cyber war attack?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 25th March 2011
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 136
Default

Jacob Applebaum’s blog post on the subject is really informative.

Also, revocation doesn’t work.

There are some Firefox extensions that do Web of Trust or Trust on First Use for SSL certificates; I’m curious as to how well those work and if they can be generalized to work across the whole OS.

And the EFF has the “SSL Observatory” mailing list that may have more interesting discussion.

Affected domains:
  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PostgreSQL developers fix vulnerabilities J65nko News 0 17th May 2010 01:58 PM
The top ten security holes for web developers J65nko News 1 26th April 2010 05:11 AM
75% of Linux code now written by paid developers J65nko News 4 22nd January 2010 03:42 AM
Browser Security shep OpenBSD Security 4 4th January 2010 02:48 PM
[survey] Developers' motivation ArjendeLangen Off-Topic 5 27th July 2009 03:56 AM


All times are GMT. The time now is 05:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick