Attacks/Breaches
3/24/2011
03:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Flawed Website Certificate Validation Process Led To Comodo Hack

Certificate authority points to Iran as likely attacker, while security experts say certificate registration and validation process needs repair

Comodo's revelation yesterday that nine SSL certificates had been issued for fraudulent websites posing as domains for high-profile sites serves as a wake-up call for a certificate process that security researchers long have warned is riddled with holes.

The certificate authority (CA) reported that the certificates were issued for mail.google.com, www.google.com, login.skype.com, addons.mozilla.org, login.live.com, and global trustee, and three different ones for login.yahoo.com. Only one of the login.yahoo.com certificates was spotted as up and running on the Internet.

It basically lets attackers impersonate Google, Yahoo, Skype, Microsoft, and Mozilla websites or to wage man-in-the-middle attacks to snoop on communications going through those sites, whether it's a Skype call or an instant messaging session. The Mozilla certificate could let them establish a phony Firefox update that downloads malicious code to Firefox browsers fooled by its "certified" domain.

It all started with the hack of a European reseller of Comodo certificates, also known as a reseller authority (RA), which validates and issues SSL certificate requests. The attackers used stolen credentials from the RA in order to issue the rogue certificates. The phony certificates were revoked by Comodo once they were discovered. Comodo says there has been no sign of them being used since then, and that its own root keys, intermediate CAs, and hardware were not compromised. Browsers with the Online Certificate Status Protocol (OCSP) feature will automatically validate and block any of these certificates.

But security experts say revocation isn't a sure thing: The rogue certificates could still be in use, possibly in more stealthy, one-off attack scenarios. "The scary thing is that it's hard to detect if they are still out there. The attackers wouldn't leave [a certificate] sitting on the Net so that anyone could locate it: They would use it in very targeted, specific attacks against one user or a subset of users," says Mike Zusman, managing principal consultant with The Intrepidus Group, who demonstrated similar attacks nearly two years ago at DefCon.

"In my opinion, once you have one of these certs, it's easy to keep it to yourself and limit its exposure," Zusman says.

Comodo says the attack appears to be nation-state sponsored, most likely out of Iran since the IP addresses involved in the attack were mostly from that country. That has led to the theory that Iran was using the phony certificates to spy on its citizens via Google mail, Yahoo mail, Skype, and Microsoft's Windows Live.

But the attackers also could have originated from elsewhere, using Iran as a cover, experts say. Robert Graham, CEO of Errata Security, argues that an IP address location doesn't mean much these days as a geographic clue. "It's trivially easy to find an open proxy and bounce your attack through it, proxy through an infected botnet, bounce through a Tor exit node, or use some other anonymization service," Graham said in a blog post.

It also just as well could have been either an attacker looking for a way to easily steal passwords via WiFi at airports and coffee shops, for instance, or for extending penetration into an organization, either via Chinese hackers or firms that perform pen tests for federal agencies, Graham noted. "During a pen-test, we almost always pop up a DNS server or network equipment that would allow us to man-in-the-middle such sessions. Forged certificates would be an excellent way to extend those attacks."

Even Comodo admits IP spoofing could be masking the real perpetrators. "While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail," blogged Phillip Hallam-Baker, vice president and principal scientist at Comodo.

Meanwhile, the attack has put the certificate authority registration process under scrutiny once again. "This is obviously a very serious case," says Mikko Hypponen, chief research officer at F-Secure. "This was obviously planned beforehand, and they were trying to so do something ... whether they were successful, we do not know," he says. "I would love to see it as a wake-up call for CAs to shore up their systems, and for Web browser vendors to carefully look at what kind of CA providers they have [as trusted]."

Iran doesn't have a CA of its own, Hypponen notes, so if indeed it was behind issuing the phony certificates, this would have been the way for Iran to obtain them.

Comodo's model of leaving resellers free to issue certificates on their own without Comodo's validation left the door open for such abuse, security experts say.

"I'm not really surprised it happened looking at how Comodo's infrastructure was working and how they basically gave resellers of their certificates a free hand," Hypponen says. With no check-points in place to flag a Google website certificate being issued, for example, the bad guys had free reign here, he says.

At the end of the day, a CA is only as secure as its weakest link, Intrepidus Group's Zusman says. Not even the Extended Validation SSL (EV SSL) certificate could prevent this type of attack given the chain of trust it uses, he says. "If you do all of the domain validation you want or EV SSL, if the systems aren't patched or their Web apps have vulnerabilities, there are ways to circumvent the validation process," he says. "Owning a CA is a lucrative target."

The worst-case scenario, according to Zusman, is that there are other rogue SSL certificates out there in use and in attacks that haven't been detected. "We really don't know," he says.

In 2009 Zusman was able to hack Comodo's EV SSL validation process when a reseller had turned off the validation step, and Zusman was able to score a "mozilla.com" SSL certificate. At DefCon later that year, he demonstrated how he was able to obtain SSL certs from multiple CAs, including StartCom, THWATE, and LoginLive.com

Meanwhile, Microsoft yesterday issued a security advisory on the Comodo hack and pushed out a Windows update that addresses the revoked certificates.

Users can protect themselves from falling victim to such spoofed website attacks by enabling CRL/OCSP in the browser, according to Sophos.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.