Blue Coat recommends that customers perform the following actions:
- Enable server certificate validation at least for the seven domains in the fraudulent certificates.
- Enable CRLs and/or OCSP for revocation checking.
- If using CRLs, install the latest Comodo InstantSSL CRL and ensure all other CRLs are current. The latest Comodo InstantSSL CRL can be downloaded here: crl.comodo.net/UTN-USERFirst-Hardware.crl.
- If using OCSP, examine the ignore settings for the OCSP responder. Ignoring failures, especially failures to connect with the OCSP responder, allows an attacker to circumvent revocation checking.
ProxySG will only check the revocation status of server certificates if the SSL proxy has been enabled. Customers who have not enabled the SSL proxy should ensure browsers have been upgraded with the latest security patches and have revocation checking enabled.
Customers who have enabled the SSL proxy but are unable to implement revocation checking can remove the Comodo InstantSSL CA from the list of trusted CAs used by the SSL Client. The name of the CA in ProxySG is UTN_USERFirst_HW. The CA certificate can be added back into the list of trusted CAs at a later time if desired.
Any CA certificate that is no longer trusted can be removed from the list of available CAs on ProxySG. After a CA certificate has been removed, it can no longer be in or added to a list of trusted CAs unless it is imported again.
Firefox, Internet Explorer, and other products have released patches that automatically reject the nine fraudulent certificates. SGOS will not be modified.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)