Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

Rogue SSL certificates issued for Google, Yahoo, Skype

Posted on 23 March 2011.

A Comodo affiliate Registration Authority (RA) has been compromised and the incident resulted in the issue of nine rogue SSL certificates for seven popular domains, reported Comodo today.

The incident happened on March 15th, when unknown attackers managed to get access to one of the user accounts for the RA. They managed to issue certificates for:

mail.google.com
www.google.com
login.yahoo.com
login.skype.com
addons.mozilla.org
login.live.com
global trustee

"One user account in one RA was compromised. The attacker created himself a new userID (with a new username and password) on the compromised user account," explains Comodo in a incident report issued today.

"The attack came from several IP addresses, but mainly from Iran. The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

So far, Comodo are aware of him receiving only one certificate, but all were revoked immediately. "Our systems indicate that when this one certificate was first tested it received a ‘revoked’ response from our OCSP responders. The site in Iran on which the certificate was tested quickly became unavailable," it says.

Kudos to Comodo for the efforts made for responsible disclosure. Immediately after the breach was spotted, they contacted principal browsers and domain owners and appraised them of the situation.

Google and Mozilla have pushed out updates that revise certificate blacklists in their browsers only two days after the breach. Microsoft also issued an update for all supported versions of Windows to help address the issue.

Government authorities have also been notified and have mounted an investigation.

Comodo made sure to point out that its root keys, intermediate CAs or secure hardware were not compromised.

"It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups," says Comodo in the blog post. "The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests."

It allows the possibility that the two detected IP addresses assigned to Iranian ISPs may be a way for the attacker to lay a false trail, but since the perpetrator has focused on the communication infrastructure and can only make use of the certificates if it has control of the DNS infrastructure, Comodo's researchers say that this was likely a state-driven attack.

Given the nature of the domains for which the attacker requested the certificates, it does seem like this was a state-orchestrated scheme to harvest usernames and passwords for a future surveillance of email and Skype communication.