Blogosphere is abuzz with the fake certificates being issued by the Comodo certificate authority (CA) as if this is the end of the world and those fake certificates can do a lot of harm. The architects of the CA system always took that possibility into account. A certificate can be issued by mistake or fraudulently and the system has the capability to revoke any issued certificate. Every certificate should contain a URL for the Certificate Revocation List (CRL) and all Comodo had to do was to revoke those certificates and update the CRL,which has already been done. Let’s stop the non-sense. The Comodo announcement clearly states that those certs were immediately revoked. All of these certificates were revoked immediately on discovery. Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation. Please calm down,the CA world is not about to collapse,your gmail and live.com accounts cannot be compromised as long as you are using a modern browser which will actually check for a CRL before trusting the certificate. And those of you who are suggesting to actually delete Comodo CA from the list of trusted CAs should probably find something else to comment on,because you clearly have never seen an actual cert and don’t have a clue about how the CA systems works. I still can’t believe that even Bruce Schneier forgot to mention this on his blog entry. Here is a screen shot of what a CRL looks like in an actual certificate.
Here is one CRL maintained by VeriSign for their certs. http://evsecure-crl.verisign.com/ . You will notice that there are numerous files ending with .crl extension and these can be downloaded and opened to view the list of certs which have been revoked. Every CRL entry will show the serial number and the revocation date and looks like this.
Recommended Configuration for Firefox 4
There are a lot of people who are suggesting to delete the Comodo root cert from the browser. A more sensible thing is to actually import the Comodo CRL for these revoked certs. Chrome and IE have actually auto-updated and there are reports that Firefox has actually hard-coded these certs as fraudulent in the latest updated. Nevertheless,you can import the Comodo CRL in Firefox 4.
Here are the steps I recommend.
- Import Comodo CRL for Firefox
Under Tools->Options->Advanced->Revocation Lists Tab select the Import CRL Option as shown in the screen shots below. Comodo CRL is at the following URL http://crl.comodoca.com/UTN-USERFirst-Hardware.crl or http://crl.comodoca.net/UTN-USERFirst-Hardware.crl. Supply the CRL URL in the dialog box when prompted. A confirmation will be displayed after successful import. You can also enable auto-update for this CRL.
Here is how your Revocation Lists Status will look like when you open it the next time.
O.K.,but I find it a bit odd that I can see the revoked certificates in Google Chrome but not in Firefox (both updated to latest versions).
Would you happen to know why the difference between these two browsers?
Firefox 4 will allow you to import a CRL. You can also enable OSCP and set the browswer to fail if OSCP status of a cert cannot be verified. There are also reports that Firefox has hard coded a number of certs as being fradulent. I’ll be posting some details on this tonight. You are right,both Chrome and IE are showing these certs as being revoked in the configuration,which is the best thing to do as it does not required checking a CRL or contact OSCP server.
Mian Khurrum
You bring up an interesting issue:should these things be preconfigured in the application or be dynamically configured via updates from a central server? Each has pros and cons…