[security] SL comprimise
Mike Hanson
mhanson at mozilla.com
Thu Mar 24 16:48:17 UTC 2011
Comodo has posted a detail incident report here:
http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Several login servers were affected.
-MH
On Mar 24, 2011, at 7:09 AM, John Bradley wrote:
>
>
> http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
>
> The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open.
>
> In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode)
>
> So perhaps encouraging people to perform those checks would be a good idea.
>
> We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised.
>
> John B.
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
More information about the security
mailing list