Symantec and Comodo revoke certs without proper private key

Just the latest example why the SSL certificate industry is widely regarded as shady and has such a bad reputation. Not the first time either that Symantec or Comodo are in the news because of their sloppy security practises. There are rumours that Symantec and other companies want to sell their SSL businesses as quickly as possible.

Good riddance!

Let’s hope that the awesome work of Let’s Encrypt will accelerate the extinction of these shady and insecure Certificate Authorities. I predict that the launch of wildcard certificates will be the last nail to the coffin of the CA business model. And with it, the begginning of the end for these dishonest and untrustworthy practices.

Let’s Encrypt – Beta Impressions

The Let’s Encrypt Beta has finally started. I registered a couple of weeks ago and the domains I use regularly got white-listed.

Certificate information screenshot

Just a few impressions so far:

  • The client ist still pretty basic, it comes with a little wrapper that builds a virtual environment for all the required python modules (which is very nice and comfortable)
  • The plugin to automatically configure Apache is still in alpha
  • The plugin to automatically configure Nginx is buggy and what seems pre-alpha (I think it is not delivered/used currently at all)
  • Don’t manually mess with /etc/letsencrypt as in never ever!

It is already comfortable to use — if you compare it to the manual process you had to undergo before. Once it is finished and all the bugs are ironed out, this thing will kick ass.

The certificates are already deployed on all my major sites, now I just have some maintenance work to do (remove unsafe ciphers etc). I started with my blog and the SSL Labs test looks pretty good.

SSL lab test results

I will try to do more with it in the upcoming days and weeks, but between work and university I currently don’t have that much time for personal projects.

If you are not part of the beta program but want to support the Let’s Encrypt initiative and go bug hunting, or simply want to try how it works, just grab the client from GitHub and use the testing infrastructure they provide (the testing CA is called “Happy Hacker CA”). News and announcements about the beta can be found here, there are also configuration examples for Nginx and Apache.

Last but not least, Kenn White published a little script suite on Github that downloads the official client and runs it to generate a certificate. It helps a lot to run the client on older Linux distributions or AWS instances — but on newer distributions a bit redundant in my opinion. Everything is in the early stages, and as the Let’s Encrypt initiative matures, I am sure the scripts will grow and be a great resource in the future! Kenn mentions other available clients on the page, make sure to check them out:

Chrome exploits

On FeFe’s site I found two interesting Chrome exploits. Because Chrome is sandboxed, they had to use a lot of chained bugs to break out.

So, that’s the long and impressive path Pinkie Pie took to crack Chrome. All the referenced bugs were fixed some time ago, but some are still restricted to ensure our users and Chromium embedders have a chance to update. However, we’ve included links so when we do make the bugs public, anyone can investigate in more detail.

The Chromium Blog has details on the two winners of the Pwnium browser hacking competition.