Kim Zetter at Wired is reporting that the fundamental integrity of the internet is once again in question. A hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers. The attack was traced to an IP address in Iran. After compromising a partner account at certificate authority Comodo Group, the attacker used it to request eight SSL certificates for six domains. The attacker created a ninth certificate for a domain of his own under the name “Global Trustee”.
The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global BGP hijacking of internet routes.
This has all of the hallmarks of a state sponsored intrusion, although the actual state that was involved is not known at this time. Of course Iran is the prime suspect. Comodo came clean about the breach after security researcher Jacob Appelbaum noticed updates to Chrome and Firefox regarding certificates, and began poking around. Mozilla persuaded Appelbaum to do the RESPONSIBLE THING, and withhold public disclosure of the information until the situation with the certificates could be resolved. Good on you, Mister Applebaum. Respect.
Read the Wired article to get the details.