Vulnerabilities / Threats
3/24/2011
12:47 PM
50%
50%

Iran Fingered For Fraudulent Comodo SSL Certificates

Gmail, Hotmail, and Skype are among the domains affected by fraudulently obtained digital certificates, said Comodo.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
On Wednesday, digital certificate issuer Comodo released a security warning that its European affiliate had issued nine fraudulent SSL certificates. The certificates -- used by Web sites to confirm the identity of end users -- were issued without sufficient identity validation, and were apparently obtained by the government of Iran.

All certificates have been revoked by Comodo. They involve seven domains: Firefox extensions (addons.mozilla.org), Global Trustee, Gmail (mail.google.com), Google (www.google.com), Skype (login.skype.com), Windows Live including Hotmail (login.live.com), and Yahoo (login.yahoo.com -- 3 certificates).

Microsoft on Thursday said that as a result of the fraudulent SSL certificates, it had updated Windows to prevent them from being used. In addition, it said, "browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used."

What's the threat posed by real security certificates being issued to the wrong party? According to Microsoft, "these certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer."

Or to gather intelligence. "If you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to [a] fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place," said Mikko Hypponen, chief research officer at F-Secure, in a blog post."Or you can read their email when they go to Yahoo, Gmail, or Hotmail. Even most geeks wouldn't notice this was going on."

Who would try to obtain fraudulent certificates? Comodo says that circumstantial evidence points to a state-backed operation run by Iran, due to the speed and accuracy of the operation, as well as the focus. "The perpetrator has focused simply on the communication infrastructure -- not the financial infrastructure as a typical cyber-criminal might," according to Comodo's incident report.

More clues: The one attack seen so far that used the fraudulent certificates targeted an ISP in Iran. Furthermore, looking at all of the issued certificates, "the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups," said Comodo's Phillip Hallam-Baker in a blog post.

Then again, it could be a diversion. "While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail," he said. But on the other hand, "the perpetrator can only make use of these certificates if it had control of the DNS infrastructure."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.