Comodo Warns of Serious SSL Cert Breach

Kim Zetter at Wired is reporting that the fundamental integrity of the internet is once again in question.  A hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.   The attack was traced to an IP address in Iran.  After compromising a partner account at certificate authority Comodo Group, the attacker used it to request eight SSL certificates for six domains.  The attacker created a ninth certificate for a domain of his own under the name “Global Trustee”.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites.  The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control.  Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global BGP hijacking of internet routes.

This has all of the hallmarks of a state sponsored intrusion, although the actual state that was involved is not known at this time.  Of course Iran is the prime suspect.  Comodo came clean about the breach after security researcher Jacob Appelbaum noticed updates to Chrome and Firefox regarding certificates, and began poking around.  Mozilla persuaded Appelbaum to do the RESPONSIBLE THING, and withhold public disclosure of the information until the situation with the certificates could be resolved.  Good on you, Mister Applebaum.  Respect.

Read the Wired article to get the details.


2 thoughts on “Comodo Warns of Serious SSL Cert Breach

  1. Withholding the information was NOT the responsible thing in this case. There was no way for any outside party to exploit a security flaw in this case (you need the actual certificate, not just the certificate ID to do any damage) and warning consumers of the fake certificates could potentially have prevented users from unknowingly leaking information to the attacker.

  2. Thanks for your comment. Sometimes it’s not the obvious and immediate damage that you need to protect against.

    By not plastering the incident details all over media sites and mailing lists, and offering a “how-to” manual for Comodo CA compromise, the vendor was able to take action to revoke the certs, clean up their compromised accounts, and hopefully, improve their security posture.

    If Mister Applebaum had followed “full disclosure” irresponsibly, who knows how many copy-cats would have been pumping out valid certificates, and for how long?

    An important part of any Incident Response effort is information and communication control.
    Here’s an article that describes the architectural issues around SSL/TLS related to this incident.

Comments are closed.