Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Comodo Issued 9 Fruadulent Certificates


  • Please log in to reply
8 replies to this topic

#1 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:09:22 PM

Posted 24 March 2011 - 05:45 AM

Microsoft released a Security Advisory today which states that Comodo accidentally issued nine certificates to an unknown party or parties for domains belonging to Google, Yahoo, Mozilla, Microsoft and Skype.

The domains in question are:

login.live.com
mail.google.com
www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org

Additionally, a certificate was issued for "Global Trustee" but the significance of this is not known.

Certificates like the ones Comodo issued are used in many areas of modern computing to verify the identity of the person or company it was issued to. Each certificate consists of two parts: a public certificate and a private key. Public certificates list vital information about the owner: their name, organization, public encryption key, URLs for which the certificate is valid, etc. This certificate is then digitally signed by the issuer with their private key which ensures that the certificate cannot be altered and that it came from a trusted certificate issuing authority. The private key half of the certificate is kept a closely guarded secret by the owner of the certificate.

In this way it is possible to both verify the source of a file or a website but also to securely encrypt data in such a way that only the owner of the certificate can decrypt it. This forms the basis of SSL/TLS which is used to secure online data. It is used by online merchants to safely collect customer payment information and by websites such as Facebook, Yahoo, and Google to secure the transmission of passwords when users sign in to their services.

You probably have seen something like this in your web browser before, that's what an SSL secured website would look like:

Posted Image


With the issuance of fraudulent certificates, criminals can impersonate trusted web sites to collect sensitive information or to induce users into installing malicious software. Most of the nine bad certificates are for e-mail services, and the only known use of these certificates was one for login.yahoo.com, which is used to sign in to Yahoo.


Further reading:
http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
https://www.microsoft.com/technet/security/advisory/2524375.mspx (how apropos, an SSL secured page)
http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/
http://www.f-secure.com/weblog/archives/00002128.html

General information on Certificate Authorities:
https://secure.wikimedia.org/wikipedia/en/wiki/Certificate_authority

BC AdBot (Login to Remove)

 


#2 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:12:22 AM

Posted 24 March 2011 - 07:00 AM

I was just going to post this. Thanks Andrew.:) http://blogs.technet.com/b/msrc/archive/2011/03/23/microsoft-releases-security-advisory-2524375.aspx

...neither Internet Explorer 8 nor Firefox have certificate revocation options set to safe defaults. Internet Explorer 8 has server certificate revocation checking off by default and Firefox only has Online Certificate Status Protocol (OCSP) revocation enabled.

In your opinion does Firefox offer sufficient protection (not just in this case) using only OCSP?


#3 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:09:22 PM

Posted 24 March 2011 - 12:21 PM

In your opinion does Firefox offer sufficient protection (not just in this case) using only OCSP?

I think so. While OCSP doesn't retrieve as much as CRLs and a certificate isn't checked until it's encountered, once a certificate is revoked Firefox will still detect so and warn the user.

#4 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:11:22 PM

Posted 24 March 2011 - 12:43 PM

Thanks for the information.

#5 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:12:22 AM

Posted 24 March 2011 - 12:58 PM

Thanks again, Andrew.:)

#6 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:12:22 AM

Posted 24 March 2011 - 08:49 PM

Update to 3.6.16, 3.5.18, SeaMonkey 2.0.13 adds these fraudulent cert's to blacklist:

http://www.mozilla.org/security/announce/2011/mfsa2011-11.html

Title: Update to HTTPS certificate blacklist
Impact: High
Announced: March 22, 2011
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.16
Firefox 3.5.18
SeaMonkey 2.0.13

Description
Several invalid HTTPS certificates were placed on the certificate blacklist to prevent their misuse.



#7 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:22 AM

Posted 28 March 2011 - 12:34 PM

Anyone know what Comodo is saying about this?
If I am reading the above posts correctly the latest Firefox update has dealt with this.??
Regards
Nawtheasta
Edit: Sorry I posted this before reading the link. Apparently Comodo is attributing this to the Government of Iran. :blink:

Edited by Nawtheasta, 28 March 2011 - 12:38 PM.


#8 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:09:22 PM

Posted 28 March 2011 - 01:09 PM

Comodo says it was the Iranian government. However an Iranian hacker has claimed responsibility and if his account of things is true then Comodo was asking for this to happen.

#9 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:22 AM

Posted 28 March 2011 - 02:29 PM

Regarding Comodo. Iíve always heard good things about their products.
Engineering arrogance is always a problem no matter what the field.
Space shuttles blow up , bridges fall down , etc. Hopefully Comodo will learn from this. The bad guys always look for a weakness.
Regarding Gov. action or hacker.
All governments will deny such action. Unless there is a declared war or an acknowledged military action It should be considered state sponsored cyber terrorism.
I seem to remember reading that al-Qaeda leaning web sites mysteriously come down around Sept. 11 each year. :whistle:
Regards
Nawtheasta




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users