This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL spoof DIGINOTAR, COMODO - does Astaro remove root certs?

Dear All!

referring to the news Microsoft, Google and Mozilla removed root certificates from the Dutch CA “DIGINOTAR”. Also a few weeks ago, root certs from COMODO have been removed.

Google users in Iran targeted in SSL spoof | InSecurity Complex - CNET News

How does Astaro deal with it?

In
Web Security >> Web Filtering >> HTTPS CAs
does Astaro remove the certs by pattern updates? Do I have to do it myself?
Where can I find official information about how Astaro deals with that problems?

This thread was automatically locked due to age.

0 Scott_Klassen over 14 years ago

For now it could possibly be best to disable the Diginotar cert at Web Security >> Web Filtering >> HTTPS CAs.
does Astaro remove the certs by pattern updates? Do I have to do it myself? Where can I find official information about how Astaro deals with that problems?
When Astaro has something to announce, they will probably post here in the forums.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 denko2k over 14 years ago in reply to Scott_Klassen

Thanks a lot, Scott! I appreciate.

Yes. It is highly recommended to deactivate this root cert.

However, it would be interesting to know how Astaro handle such a problem in principle?

1) Can a pattern update change the root CAs?
2) Is a firmware update necessary for changes in the root certs?
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 14 years ago

I dimly recall at some time in the past a certificate needed to be removed due to a problem. I've been trying to find a post about it, but have been unsuccessful. The shell commands to do this manually were provided, but for general availability it did require an up2date push to resolve. Or maybe my addled brain is just remembering incorrectly. [:)]

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to Scott_Klassen

denko2k, I dont' think they have a mechanism in place currently that removes revoked CAs... that is definitely something they should add... you might want to go to feature.astaro.com and post a request.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 trollvottel over 14 years ago

In v8.202 the DigiNotar CA will be removed from the trusted HTTPS CAs.
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 14 years ago

Thank you Mario.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to trollvottel

In v8.202 the DigiNotar CA will be removed from the trusted HTTPS CAs.

Any plans in making the removal of a known bad CA part of the pattern up2date process, so the lag time (and manual process required) involved in using a firmware up2date is eliminated?

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 Alvin over 14 years ago in reply to BrucekConvergent

When is 8.202 schedueld for GA?

In the mean time, Astaro wont post some counter measures for savvy people to do Manually?
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 14 years ago

When is 8.202 schedueld for GA
Unknown at this time. They are still working on various fixes which will be included.

Astaro wont post some counter measures for savvy people to do Manually

In the web proxy, go to the HTTPS CAs Tab and disable the DigiNotar cert.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 Alvin over 14 years ago

Thank You Scott

- I would disable this DigiNotar Cert.
- Any other Manual Counter Measures we should be doing on Astaro?
- Such as any other known Certs that need to be disabled?
- Any other known nasty network blocks we should block completely?
Cancel
Vote Up 0 Vote Down

Cancel