It wasn’t a CA compromise

I've been getting lots of emails from the marketing people at another security vendor who want me to attend their webinar "Comodo CA Compromise: Ramifications and Security Best Practices." I find this a bit annoying for two reasons.

The first is that I have absolutely no interest in buying products from the spamming vendor. They probably got my name of the list of attendees at some trade show, even though I always select the option that's closest to "Never contact me by any means about anything related to the fine products or services that I will hear about at this event" when I register for these events.

The next is that what happened to Comodo wasn't a CA compromise. By calling it one, it makes it look like you really understand the difference  between a CA and an RA, and a security vendor who doesn't understand that isn't one whose advice I'd listen to about security best practices.

What happened to Comodo was that someone managed to get the username and password of an RA. This let them masquerade as the RA and to approve nine bogus requests for SSL certificates when they were doing this. This had nothing to do with the security of the CA itself, so calling this incident a "CA compromise" isn't just misleading. It isn't the sort of thing that you can explain as marketing spin on a security incident. It's just plain wrong.  

Leave a Reply

Your email address will not be published. Required fields are marked *