Russian Censor Bans Comodo... Doesn't Realize Its Own Security Certificate Is From Comodo

from the ow!-my-foot!-shot-it-right-off! dept

The Russian government's state censorship organization, Roskomnadzor (technically its telecom regulator) has been especially busy lately as the government has continued to crack down on websites it doesn't like. However, as pointed out by Fight Copyright Trolls, it appears that Roskomnadzor may have gone a bit overboard recently, in response to a court ruling that had a massive list of sites to be banned (over a thousand pages). Apparently, as part of that, various sites associated with Comodo were all banned. That's pretty bad for a variety of reasons, starting with the fact that Comodo remains one of the most popular issuers of secure certificates for HTTPS.

In fact, as many quickly noted, Roskomnadzor's own website happens to be secured with a certificate from... Comodo:
It's not entirely clear the impact of this, but the Rublacklist site appears to be implying (via my attempt at understanding Google translate's translation...) that this also means that sites that rely on Roskomnadzor's registry of sites to block... may be blocked from accessing the list. Because its own site is effectively blocked by the list. Oops.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    AJ, 26 Jul 2016 @ 7:14am

    POPCORN!!!.. GET YOUR POPCORN!!.......

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2016 @ 7:25am

    Pop quiz...

    Will this
    a) block the blocking of sites?
    b) suddenly and drastically reduce the amount of Russian spam I receive?
    c) suddenly and drastically increase the amount of russian spam I receive?
    d) create some sort of block hole?
    e) all of the above.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 26 Jul 2016 @ 7:35am

    Ignorance is universal

    Can we put this down as another politician who is unclear on the concept?

    reply to this | link to this | view in chronology ]

  • icon
    Lord Lidl of Cheem (profile), 26 Jul 2016 @ 7:40am

    In Soviet Russia, site ban bans ban.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2016 @ 7:50am

    Kirk: Ohuru, contact the planet, we have to warn them.

    Ohuru: I can't get through...

    Spock: They appear to be blocking our communications, captain.

    Kirk: They're blocking our warning? That's really stupid blocking...

    Checkov: Russia inwented really stupid blocking!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2016 @ 10:00am

      Re:

      Kirk: Ohuru, contact the planet, we have to warn them.

      Ohuru: I can't get through...

      Spock: They appear to be blocking our communications, captain.

      Kirk: They're blocking our warning? That's really stupid blocking...

      Checkov: Russia inwented really stupid blocking!


      Spock: As I informed you earlier, There is No intelligent life down there.

      reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 26 Jul 2016 @ 8:05am

    Seems like its working as it should, blocking those bad propaganda sites

    reply to this | link to this | view in chronology ]

  • identicon
    Dingledore the Flabberghaster, 26 Jul 2016 @ 8:22am

    If the block list is blocked, won't they be unblocked?

    But then, if they're unblocked, they're free to be blocked, which will unblock them, allowing them to be blocked, having the effect of unblocking them until they're immediately blocked again.

    At what point will they fire their Net Admins and hire some philosophers on ornithology?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2016 @ 8:46am

      Re: If the block list is blocked, won't they be unblocked?

      Queue the social media posts:

      A: ABC site is randomly offline WTF!
      B: I cheeked the block list but there is nothing there!
      C: You are both crazy, I checked the block list and ABC is blocked.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2016 @ 9:06am

    No contact necessary?

    As I understand SSL handshaking, the list of trusted CAs is a list on the user's computer. Entries on that list get updated (IE revoked, etc) through OCSP or a downloaded Certificate Revocation List (CRL).

    On the one hand, contact with the issuing server is not necessary to continue using the certificate.

    On the other hand, the issuing CA is also where the revocation issues from....


    All this from a 10 minute Google search. Please correct me where appropriate.

    reply to this | link to this | view in chronology ]

    • identicon
      Whoever, 26 Jul 2016 @ 9:41am

      Re: No contact necessary?

      On the other hand, the issuing CA is also where the revocation issues from....


      Yeah, that was my thought. Blocking Comodo has 2 effects:
      1. Stops new sales by Comodo
      2. Stops people downloading Comodo's list of revoked certificates.

      Perhaps there is a certificate that Comodo has issued in error, but the Russians would like to continue using it?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2016 @ 11:42am

      Re: No contact necessary?

      If the CA can't be contacted to verify that the cert hasn't been revoked within a certain period of time then the cert may be rejected.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 26 Jul 2016 @ 9:10am

    On Soviet Russia the Internet browses you. So no problem.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2016 @ 9:10am

    Didn't this happen in an episode of Max Headroom? The censor censoring the censor.

    reply to this | link to this | view in chronology ]

  • identicon
    Just Me, 26 Jul 2016 @ 11:22am

    The CRL Distribution point is not critical

    Too bad the CRL distribution point for their certificate is not marked critical. It would have been amusing for their own website to become untrusted when the web browsers could not download the CRL.

    reply to this | link to this | view in chronology ]

  • identicon
    Mark Wing, 26 Jul 2016 @ 11:34am

    Trump: It's time to close the Internet.

    Putin: Ok LOL.

    reply to this | link to this | view in chronology ]

  • identicon
    Skeeter, 26 Jul 2016 @ 3:13pm

    Trust Certificates, really?

    The grander humor to all of this is the idea of a 'Trust Certificate' to begin with. Have any commenting actually looked at what it takes to get a 'trust' certificate? Ever wonder why the new fad is to 'revoke previously issued Trust Certificates'?

    It's because Comodo, like a LOT of other CA's have done their best to emulate the BBB, and sell Trust Certificates to most anyone with a phone and a credit card! Now, they find out (after the horse is out of the barn) that a LOT of those certs they sold went to: Russian Mafia, unknown government entities and more. Now, they want to 'revoke' them, and 'legitimately scrutinize' who's actually buying them. Layman's terms: OOPS!

    So, before you think it's funny that these 'certificates' are revoked, or the CA is now black-listed, maybe, just maybe you need to understand that it doesn't take a 'little green padlock' in the URL bar to get someone to visit your site anymore than a 'little green padlock' missing will stop them.

    You don't go to websites you don't mean to, and you default to trusting sites you go to without looking whether there is a padlock in that URL bar when you do. If money or personal ID aren't 'in-transit', few care, and fewer look.

    Hey, I thought everyone wanted to be in the 'cloud' nowdays with their G-Strings showing? I thought everyone wanted to go 'no privacy', and that Google-NSA was a good thing, remember?

    In reality, CA's are like ISO certification for manufacturing. In reality, it doesn't make a better product, it makes a mediocre product cost more, and in most instances, bankrupts smaller companies in the end. Same with CA's - it's a scam to start with.

    reply to this | link to this | view in chronology ]

  • identicon
    ivan, 16 Jan 2017 @ 11:41am

    android

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.