Did the EFF speculate on Comodogate?
Continuing from yesterday, I have more to say on Comodogate and the EFF's article that came out shortly after.
Today, I had a good IRC conversation with Kai Engert (The key programmer in implementing the Mozilla patch for Comodogate) and it is his contention as well that these certificates are the real certificates and that they have no reason to believe they were re-issued.
This brings me to the EFF and a couple pointed questions. On the 23rd as this whole fiasco was made public, the EFF wrote this article -- "Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?" which was heavily trafficked and cited by security researchers for one key phrase.
"One cert was for "global trustee" — not a domain name. That was probably a malicious CA certificate that could be used to flawlessly impersonate any domain on the Web."
This statement is increasingly looking incorrect -- and this certificate is almost certainly not a malicious CA certificate. I cannot say with absolute certainty that it is not a CA, except that for it to be a CA cert would require a very unlikely conspiracy by Comodo, and one that would leave Microsoft products completely vulnerable today. Rather, instead all the evidence suggests that these certificates released by Comodo are genuine, and that this Global Trustee certificate is simply not a CA certificate, but is rather a client certificate with a larger than usual key of 4096 bits.
It also suggests that Google was more prominent a target than they have notified their users of. The certificates contain Organization and Organizational Unit fields that directly point to Google's Tech Dept -- which if these certificates are genuine, was information included by the Comodo Hacker, specifically targeting Google. I still have not received a reply to my request for comment from Google.
That the hacker published the private key for one of the certificates is also a key indicator that these certificates were not re-issued. If they were, then the hacker would have been in collaboration with the CA in releasing a new, rather than the original, private key. Again, conspiracy, but not 100% impossible.
It has also been determined that there may be issues with the CRL system, in that a certificate revocation is done entirely by serial number, and that a CA can (but is bound by procedural rules not to) generate a new certificate with the same serial as the old, change key items (like a CA:TRUE to a CA:FALSE) and still have the cert be valid for serial-only CRL purposes. The CRL system does not appear to take the whole certificate into account -- however, the Microsoft approach of putting the entire certificate into 'Untrusted Certificates' does appear to take the whole certificate into account. Which means if the certificates had been re-issued, special blacklisting certs with matching serials, then the MS patch would be broken today, and the real hacked certs would not be blocked in MS products.
Which brings me back to the EFF. Either Comodo/MS et al are involved in a fantastic conspiracy, or the EFF is wrong about the certificate being 'probably a malicious CA'. In-fact, I'm not sure where they could have got that information in the first place, as the public keys released by Comodo on the 23rd when the bug became known specifically state that this certificate is not a CA certificate. So to the EFF I have three pointed questions:
1) Why did you use the phrase "That was probably a malicious CA certificate that could be used to flawlessly impersonate any domain on the Web." ?
2) Did you have access to the actual certificates at time of writing?
3) Do you believe you were wrong about the CA certificate, or do you still maintain that it could be a malicious CA?
I will attempt to find the answers, as discounting the presence of a live CA certificate will do much to restore confidence in the global SSL system, and eliminate the dooms-day scenario of a hacked certificate authority being live in the wild.