Microsoft released a Security Advisory today which states that Comodo accidentally issued nine certificates to an unknown party or parties for domains belonging to Google, Yahoo, Mozilla, Microsoft and Skype.
The domains in question are:
login.yahoo.com (3 certificates)
Additionally, a certificate was issued for "Global Trustee" but the significance of this is not known.
Certificates like the ones Comodo issued are used in many areas of modern computing to verify the identity of the person or company it was issued to. Each certificate consists of two parts: a public certificate and a private key. Public certificates list vital information about the owner: their name, organization, public encryption key, URLs for which the certificate is valid, etc. This certificate is then digitally signed by the issuer with their private key which ensures that the certificate cannot be altered and that it came from a trusted certificate issuing authority. The private key half of the certificate is kept a closely guarded secret by the owner of the certificate.
In this way it is possible to both verify the source of a file or a website but also to securely encrypt data in such a way that only the owner of the certificate can decrypt it. This forms the basis of SSL/TLS which is used to secure online data. It is used by online merchants to safely collect customer payment information and by websites such as Facebook, Yahoo, and Google to secure the transmission of passwords when users sign in to their services.
You probably have seen something like this in your web browser before, that's what an SSL secured website would look like:
With the issuance of fraudulent certificates, criminals can impersonate trusted web sites to collect sensitive information or to induce users into installing malicious software. Most of the nine bad certificates are for e-mail services, and the only known use of these certificates was one for login.yahoo.com, which is used to sign in to Yahoo.
(how apropos, an SSL secured page)http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/http://www.f-secure.com/weblog/archives/00002128.html
General information on Certificate Authorities:https://secure.wikimedia.org/wikipedia/en/wiki/Certificate_authority