Vulnerabilities / Threats
3/24/2011
12:47 PM
Connect Directly
RSS
E-Mail
50%
50%

Iran Fingered For Fraudulent Comodo SSL Certificates

Gmail, Hotmail, and Skype are among the domains affected by fraudulently obtained digital certificates, said Comodo.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
On Wednesday, digital certificate issuer Comodo released a security warning that its European affiliate had issued nine fraudulent SSL certificates. The certificates -- used by Web sites to confirm the identity of end users -- were issued without sufficient identity validation, and were apparently obtained by the government of Iran.

All certificates have been revoked by Comodo. They involve seven domains: Firefox extensions (addons.mozilla.org), Global Trustee, Gmail (mail.google.com), Google (www.google.com), Skype (login.skype.com), Windows Live including Hotmail (login.live.com), and Yahoo (login.yahoo.com -- 3 certificates).

Microsoft on Thursday said that as a result of the fraudulent SSL certificates, it had updated Windows to prevent them from being used. In addition, it said, "browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used."

What's the threat posed by real security certificates being issued to the wrong party? According to Microsoft, "these certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer."

Or to gather intelligence. "If you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to [a] fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place," said Mikko Hypponen, chief research officer at F-Secure, in a blog post."Or you can read their email when they go to Yahoo, Gmail, or Hotmail. Even most geeks wouldn't notice this was going on."

Who would try to obtain fraudulent certificates? Comodo says that circumstantial evidence points to a state-backed operation run by Iran, due to the speed and accuracy of the operation, as well as the focus. "The perpetrator has focused simply on the communication infrastructure -- not the financial infrastructure as a typical cyber-criminal might," according to Comodo's incident report.

More clues: The one attack seen so far that used the fraudulent certificates targeted an ISP in Iran. Furthermore, looking at all of the issued certificates, "the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups," said Comodo's Phillip Hallam-Baker in a blog post.

Then again, it could be a diversion. "While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail," he said. But on the other hand, "the perpetrator can only make use of these certificates if it had control of the DNS infrastructure."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.