In continuation of my article of
Untrusted Certificates, I’m trying to set the record strait if this was a glitch in the software of the reseller or really negligence on part of Comodo. The reseller (actually they were supposed to be a registration authority) maintained that it was the result of unintentional mistakes and a glitch in their validation system. Which validation exactly? Robin Alden, CTO of Comodo, claimed that they take their responsibility to supervise registration authorities (RA) very seriously and that they actively audit their performance. Lets find out together…
Some of the images were made during my first attempt to find out which certification authority is behind scam mails sent to our customers and users. Some images refer to the startcom.org domain, however the steps were essentially the same with mozilla.com. Starting with the misleading emails:
The scam to allegedly renew the certificate continues. Note the misleading text “Our records indicate…”:
I used my real details - nothing to hide. Note the “New Username“, as if I already had an account previously with them and perhaps lost it.
My account was confirmed accordingly:
Payment was done via Paypal:
Upon returning from Paypal I submitted the certificate signing request with the subject line “C=IL, ST=South, L=Eilat, O=StartCom Ltd., CN=www.mozilla.com, Efirstname.lastname@example.org“. At this stage I expected something to happen, but all I got was this:
After 30 seconds the screen refreshed with the certificate:
The certificates arrived by email too. Note that the email for the mozilla.com certificate was sent to webmaster[@]startcom.org:
At this stage I wondered if this was just a scam all the way as it started and the certificates not even issued by Comodo. I examined the certificates attached and they looked like those of Comodo, but will it really work?
Now perhaps somebody explain to me where the glitch exactly was! There was no validation step, not even a hint of it. Perhaps also somebody explain to me where Comodo comes into this. If they’d have performed at least one walk-through at this resellers site, they’d have realized that something is missing. Is this negligence?
For comparison, review another event which due to a bug just recently happened to the StartCom CA and how the issuance of a fraudulent certificate to a high-profile brand name was prevented.