Flawed Website Certificate Validation Process Led To Comodo Hack
Certificate authority points to Iran as likely attacker, while security experts say certificate registration and validation process needs repair
Comodo's revelation yesterday that nine SSL certificates had been issued for fraudulent websites posing as domains for high-profile sites serves as a wake-up call for a certificate process that security researchers long have warned is riddled with holes.
The certificate authority (CA) reported that the certificates were issued for mail.google.com, www.google.com, login.skype.com, addons.mozilla.org, login.live.com, and global trustee, and three different ones for login.yahoo.com. Only one of the login.yahoo.com certificates was spotted as up and running on the Internet.
More Security Insights
White PapersMore >>
It basically lets attackers impersonate Google, Yahoo, Skype, Microsoft, and Mozilla websites or to wage man-in-the-middle attacks to snoop on communications going through those sites, whether it's a Skype call or an instant messaging session. The Mozilla certificate could let them establish a phony Firefox update that downloads malicious code to Firefox browsers fooled by its "certified" domain.
It all started with the hack of a European reseller of Comodo certificates, also known as a reseller authority (RA), which validates and issues SSL certificate requests. The attackers used stolen credentials from the RA in order to issue the rogue certificates. The phony certificates were revoked by Comodo once they were discovered. Comodo says there has been no sign of them being used since then, and that its own root keys, intermediate CAs, and hardware were not compromised. Browsers with the Online Certificate Status Protocol (OCSP) feature will automatically validate and block any of these certificates.
But security experts say revocation isn't a sure thing: The rogue certificates could still be in use, possibly in more stealthy, one-off attack scenarios. "The scary thing is that it's hard to detect if they are still out there. The attackers wouldn't leave [a certificate] sitting on the Net so that anyone could locate it: They would use it in very targeted, specific attacks against one user or a subset of users," says Mike Zusman, managing principal consultant with The Intrepidus Group, who demonstrated similar attacks nearly two years ago at DefCon.
"In my opinion, once you have one of these certs, it's easy to keep it to yourself and limit its exposure," Zusman says.
Comodo says the attack appears to be nation-state sponsored, most likely out of Iran since the IP addresses involved in the attack were mostly from that country. That has led to the theory that Iran was using the phony certificates to spy on its citizens via Google mail, Yahoo mail, Skype, and Microsoft's Windows Live.
But the attackers also could have originated from elsewhere, using Iran as a cover, experts say. Robert Graham, CEO of Errata Security, argues that an IP address location doesn't mean much these days as a geographic clue. "It's trivially easy to find an open proxy and bounce your attack through it, proxy through an infected botnet, bounce through a Tor exit node, or use some other anonymization service," Graham said in a blog post.
It also just as well could have been either an attacker looking for a way to easily steal passwords via WiFi at airports and coffee shops, for instance, or for extending penetration into an organization, either via Chinese hackers or firms that perform pen tests for federal agencies, Graham noted. "During a pen-test, we almost always pop up a DNS server or network equipment that would allow us to man-in-the-middle such sessions. Forged certificates would be an excellent way to extend those attacks."
Even Comodo admits IP spoofing could be masking the real perpetrators. "While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail," blogged Phillip Hallam-Baker, vice president and principal scientist at Comodo.
Meanwhile, the attack has put the certificate authority registration process under scrutiny once again. "This is obviously a very serious case," says Mikko Hypponen, chief research officer at F-Secure. "This was obviously planned beforehand, and they were trying to so do something ... whether they were successful, we do not know," he says. "I would love to see it as a wake-up call for CAs to shore up their systems, and for Web browser vendors to carefully look at what kind of CA providers they have [as trusted]."
Iran doesn't have a CA of its own, Hypponen notes, so if indeed it was behind issuing the phony certificates, this would have been the way for Iran to obtain them.
Comodo's model of leaving resellers free to issue certificates on their own without Comodo's validation left the door open for such abuse, security experts say.
"I'm not really surprised it happened looking at how Comodo's infrastructure was working and how they basically gave resellers of their certificates a free hand," Hypponen says. With no check-points in place to flag a Google website certificate being issued, for example, the bad guys had free reign here, he says.
At the end of the day, a CA is only as secure as its weakest link, Intrepidus Group's Zusman says. Not even the Extended Validation SSL (EV SSL) certificate could prevent this type of attack given the chain of trust it uses, he says. "If you do all of the domain validation you want or EV SSL, if the systems aren't patched or their Web apps have vulnerabilities, there are ways to circumvent the validation process," he says. "Owning a CA is a lucrative target."
The worst-case scenario, according to Zusman, is that there are other rogue SSL certificates out there in use and in attacks that haven't been detected. "We really don't know," he says.
In 2009 Zusman was able to hack Comodo's EV SSL validation process when a reseller had turned off the validation step, and Zusman was able to score a "mozilla.com" SSL certificate. At DefCon later that year, he demonstrated how he was able to obtain SSL certs from multiple CAs, including StartCom, THWATE, and LoginLive.com
Meanwhile, Microsoft yesterday issued a security advisory on the Comodo hack and pushed out a Windows update that addresses the revoked certificates.
Users can protect themselves from falling victim to such spoofed website attacks by enabling CRL/OCSP in the browser, according to Sophos.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.