Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft posted an advisory warning of nine fraudulent digital certificates issued by Comodo, a vendor of SSL certificates and other online security solutions.
The certificates were signed on behalf of a third party without sufficient proof of identity, Comodo told Microsoft.
They could have been used by a fraudster to create a fake website that was able to bypass a browser's validity mechanism and appear like the real thing to users.
The attacker would then be able to spoof content or perform phishing attacks and man-in-the-middle attacks to steal credentials or spy on users.
Major web domains, such as those belonging to Google, Yahoo, Skype and Mozilla, were affected. However, Comodo has revoked these certificates – they are included on Comodo's most recent Certificate Revocation List.
Customers don't need to do anything since the update is typically loaded automatically. As well, web browsers with the Online Certificate Status Protocol (OCSP) enabled will block the phony certificates from being used. Researcher Jacob Appelbaum first reported the problem to Comodo but withheld disclosure until the certification authority could remediate the issue.
The origin of the attack was traced to several IP addresses, mainly originating in Iran, Comodo explained on its website. One user account was compromised when an attacker created a new user ID (with a new username and password) on the compromised user account.
Comodo said the attack was performed with "clinical accuracy," and considering the Iranian government recently attacked other encrypted methods of communication, led the company to the conclusion that "this was likely a state-driven attack."
"The attacker was well prepared and knew in advance what he was trying to achieve," Comodo said.
Although the attacker requested nine certificates, Comodo is uncertain whether all were issued. At least one was issued, but all certificates were revoked immediately on discovery.
"The account in question has been suspended pending ongoing forensic investigation," the site stated. Comodo also instituted new controls "in the wake of this new threat to the authentication platform."
Paul Mutton, a British researcher and author, writing on Netcraft.com, said public announcement of the attack was delayed to allow Mozilla to include fixes in its update this week of Firefox to version 4.
Although seemingly resolved, the attack illustrates problems in what Stephen Schultze, associate director at the Center for Information Technology (CITP) at Princeton University in New Jersey, has referred to as the online “chain of trust.”
This chain, he explained at a conference at Princeton in the fall, is the security path among web browsers and/or operating systems, more than 600 certification authorities that issue digital certificates to websites, the sites or “subscribers” that use the web worldwide, and end-users.
Speaking on Wednesday with SCMagazineUS.com, Schultze said the entire system is flawed because there are so many entities that can grant SSL certificates.
"The system is designed in such a way that any single point of failure can affect the whole operation," he said.
As far as this week's breach of Comodo, he said the structure that the company has set up is too liberal in allowing affiliates to issue certificates.
The company has a bad track record with its "Reseller Authorities" program, which has led to poor or nonexistent validation in the past. What is needed is a better system, he said.
"The current SSL structure is broken, and it has been for more than a decade," he said. "We need fundamentally better architecture for baseline security, where all entities are trusted equally."
To achieve this goal, he said a new authentication system is needed, such as Dane. The system places encrypted keys in secure DNS and is deployed in top-level domains.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.