Glitch or Negligence?


In continuation of my article of Untrusted Certificates, I’m trying to set the record strait if this was a glitch in the software of the reseller or really negligence on part of Comodo. The reseller (actually they were supposed to be a registration authority) maintained that it was the result of unintentional mistakes and a glitch in their validation system. Which validation exactly? Robin Alden, CTO of Comodo, claimed that they take their responsibility to supervise registration authorities (RA) very seriously and that they actively audit their performance. Lets find out together…

Some of the images were made during my first attempt to find out which certification authority is behind scam mails sent to our customers and users. Some images refer to the startcom.org domain, however the steps were essentially the same with mozilla.com. Starting with the misleading emails:

Fraudulent reminder and expiration notice

 The scam to allegedly renew the certificate continues. Note the misleading text “Our records indicate…”:

Renew Screen

I used my real details - nothing to hide. Note the “New Username“, as if I already had an account previously with them and perhaps lost it.

Customer details

My account was confirmed accordingly:

Confirmation mail of my new account.

Payment was done via Paypal:

Payment

Upon returning from Paypal I submitted the certificate signing request with the subject line “C=IL, ST=South, L=Eilat, O=StartCom Ltd., CN=www.mozilla.com, E=webmaster@startcom.org“. At this stage I expected something to happen, but all I got was this:

Processing

After 30 seconds the screen refreshed with the certificate:

The Certificate

The certificates arrived by email too. Note that the email for the mozilla.com certificate was sent to webmaster[@]startcom.org:

Confirmation mail with certificates attached

At this stage I wondered if this was just a scam all the way as it started and the certificates not even issued by Comodo. I examined the certificates attached and they looked like those of Comodo, but will it really work?

Mozilla’s new home page

Now perhaps somebody explain to me where the glitch exactly was! There was no validation step, not even a hint of it. Perhaps also somebody explain to me where Comodo comes into this. If they’d have performed at least one walk-through at this resellers site, they’d have realized that something is missing. Is this negligence?

For comparison, review another event which due to a bug just recently happened to the StartCom CA and how the issuance of a fraudulent certificate to a high-profile brand name was prevented.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information
January 4th, 2009
No Responses
Feeds and Links
Comment Feed
From This Author
Del.icio.us
Digg
Technorati
Categories and Tags
PKI
Security

Other Posts
Joint Venture
Full Disclosure

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Be the first to leave a comment!