Vulnerabilities / Threats
3/24/2011
12:47 PM
Connect Directly
RSS
E-Mail
50%
50%

Iran Fingered For Fraudulent Comodo SSL Certificates

Gmail, Hotmail, and Skype are among the domains affected by fraudulently obtained digital certificates, said Comodo.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
On Wednesday, digital certificate issuer Comodo released a security warning that its European affiliate had issued nine fraudulent SSL certificates. The certificates -- used by Web sites to confirm the identity of end users -- were issued without sufficient identity validation, and were apparently obtained by the government of Iran.

All certificates have been revoked by Comodo. They involve seven domains: Firefox extensions (addons.mozilla.org), Global Trustee, Gmail (mail.google.com), Google (www.google.com), Skype (login.skype.com), Windows Live including Hotmail (login.live.com), and Yahoo (login.yahoo.com -- 3 certificates).

Microsoft on Thursday said that as a result of the fraudulent SSL certificates, it had updated Windows to prevent them from being used. In addition, it said, "browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used."

What's the threat posed by real security certificates being issued to the wrong party? According to Microsoft, "these certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer."

Or to gather intelligence. "If you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to [a] fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place," said Mikko Hypponen, chief research officer at F-Secure, in a blog post."Or you can read their email when they go to Yahoo, Gmail, or Hotmail. Even most geeks wouldn't notice this was going on."

Who would try to obtain fraudulent certificates? Comodo says that circumstantial evidence points to a state-backed operation run by Iran, due to the speed and accuracy of the operation, as well as the focus. "The perpetrator has focused simply on the communication infrastructure -- not the financial infrastructure as a typical cyber-criminal might," according to Comodo's incident report.

More clues: The one attack seen so far that used the fraudulent certificates targeted an ISP in Iran. Furthermore, looking at all of the issued certificates, "the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups," said Comodo's Phillip Hallam-Baker in a blog post.

Then again, it could be a diversion. "While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail," he said. But on the other hand, "the perpetrator can only make use of these certificates if it had control of the DNS infrastructure."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio