The Hack o blog

Reinventing the weel

The Comodo Hacker Released Mozilla certificate for “real dumbs”

Category:WikiProject Cryptography participants

Image via Wikipedia

The Hacker that fraudulently obtained the Comodo.com SSL certificate published it on paste bin, i have not had time to verify yet, so subscribe for updates. ( Hes English is all most a good as mine)

For some real dumbs, I bet they don’t have IQ above 75, WHO STILL thinks I’m not the hacker, here is mozilla addon’s certificate, check it’s serial with one published on all the internet:

http://www.multiupload.com/J9I8NFWPT0

I really worry about you guys (people who still have doubts) even for surfing in internet, have you ever visited a doctor?

Private key for above certificate:
http://www.multiupload.com/SI4FKWJ5KY

@ioerror, when I say you have relations with intelligence agencies and you pass traffic, I have my reasons: http://bit.ly/dK0oB5 #comodogate

Thanks to Robert Graham for pointing out that private key is encrypted with a passphrase, here is private key without passphrase, I don’t want to give away my passphare:

—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEAq8ZtNvMVc3iDc850hdWu7LLw4CQfE4O4IKy7mv6Iu6uhHQsf
RQCqSbc1Nwxq70dMudG+41cSBI2Sx7bsAby22seBOCCtcoXmDvyBbAetaHY4xUTX
zMZKxZc+ZPRR5vB+suxW9yWCTUmYyxaY3SPxiZHRF5dAmSbW4qIrXt+9ifIbGlMt
zFBBetA9KgxVcBQB6VhJEHoLk4KL4R7tOoAQgs6WijTwzNfTubRQh1VUCbidQihV
AOWMNVS/3SWRRrcN5V2DqOWL+4TkPK522sRDK1t0C/i+XWjxeFu1zn3xXZlA2sru
OIFQvpihbLgkrfOvjA/XESgshBhMfbXZjzC1GwIDAQABAoIBAQCJoijaEXWLmvFA
thiZL7jEATCNd4PK4AyFacG8E9w8+uzR15qLcFgBTqF95R49cNSiQtP/VkGikkkc
ao25aprcu2PnNA+lpnHKajnM9G3WOHuOXHXIps08es3MmBKTxvjNph6cUlqQULrz
Zry+29DpmIN/snpY/EzLNIMptn4o6xnsjAIgJDpQfFKQztxdmZU6S6eVVn0mJ5cx
q+8TTjStaMbh+Yy73s+rcaCXzL7yqWDb1l5oQJ/DMYNfufY6lcLgZUMwFxYKjCFN
ScAPCiXFUKTzY3Hy1Z4tLndFxipyEPywDep1TB2nMb+F3OOXUs3z+kKVjGFaGnLZ
591n3x3hAoGBAOOgsb4QybjHh9+CxhUkfsqcztGGdaiI3U5R1qefXL7R47qCWfGc
FKdoJh3JwJzHEDX68ZmHz9dPhSXw6YrlLblCi6U/3g7BOMme5KRZKBTjHFo7O9II
B0laE5ISRH4OccsOC3XUf9XBkm8szzEBj95DgzB0QydPL4jp7NY0h0QrAoGBAMEv
jEFkr/JCRe2RWUSx/a1WT/DHnVLMnDb/FryN2M1fAerpMYNUc2rnndjp2cYbsGLs
cSF6Xecm3mUGqn8Y5r8QqBwxCp5OunCFCXEJvkiU3NSs8oskCsB8QJ6vk3qmauUK
jClX91heSCigwhC2t+1txnF290m/y0T46EfqOSrRAoGAUlyVk4D9jEdeCWiHBaVj
3ynnx3ZQYj/LW4hPE+2coErPjG+X3c0sx/nuOL8EW3XHjtCS1IuIj45tTfIifqg3
6B2E67D1Rv9w7br5XeIIl64pVxixp2hSQp8+D49eiwHs+JzHVsYhzxUwR9u9yCyZ
gsGI2WJn3fRP7ck+ca8l9msCgYB4B2Hec3+6RqEKBSfwvaI+44TRtkSyYDyjEwT+
bCeLGn+ng/Hmhj8b6gKx9kH/i86g+AUmZtAXQZgmLukaBM/BYMkCkxnk2EeQh6gh
Goumrw8x+K7N8rvXcpv3vGEmcGW0H0SMn4In3pR44cER/2Tx2SXV87Obl9Xk6b3w
iL+yMQKBgFjXcmiBW8lw3l2CaVckd/1SzrT80AfRpMT9vafurxe+iAhl9SDAdoZe
3RlshoItDQLW1ROlkLhM7Pdq/XZvLRm128hiIGKTDBnxtfN8TKAg+V7V+/TTfdqv
8jq7epvZsq5vjOC1FZh2gOhf50QwpqDJktjdyka1sPiBKQSoxfbZ
—–END RSA PRIVATE KEY—–

Well this is scary if it is the Comodo daterbace. That mdb has plaintext passwords as well as some hashes and salts.

But sky why is this scary?

Well that’s a good question, Let’s say someone wants to put a malicious add-on onto your computer. Normally, a web browser validates using the software publisher’s public key, which takes data encrypted with the private key and decrypts it on your local machine.

By doing so, you know the data is legitimately from the software publisher. However, now that the private key has been released, anyone can set up a web-server that claims to be the software publisher, and they can sign their data using the private key and your web browser will be none the wiser.

To use this certificate they would need to block you from OCSP so that you cannot find out that the certificate has been revoked.

With Fire Fox and Opera you can enable forced OCSP checking. But it will break any website that has a ill made ssl certificate, there is a discussion of forcing OCSP checks in FF 4.* Also check out HSTS in Chrome/Chromium witch the only browser that implements this strictly.

notes:

He has released some other statements, looking up his  nickname on paste-bin shows that this is probably legitimate.

http://pastebin.com/u/ComodoHacker

<!–[if gte mso 10]> Let’s say someone wants to put a malicious add-on onto your computer. Normally, a web browser validates using the software publisher’s public key, which takes data encrypted with the private key and decrypts it on your local machine. 

By doing so, you know the data is legitimately from the software publisher. However, now that the private key has been released, anyone can set up a web-server that claims to be the software publisher, and they can sign their data using the private key and your web browser will be none the wiser.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: