It has been revealed that an affiliate of Comodo, a security company, was compromised resulting in the fraudulent issue of nine SSL certificates for existing domains including mail.google.com, www.google.com, login.yahoo.com and addons.mozilla.org. These certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users.
Comodo is reporting that the compromise was detected within hours and the certificates revoked immediately. However Microsoft, Google and Mozilla have updated their web browsers to ensure that these fraudulent certificates are rejected.
Mozilla has updated Firefox 4.0, 3.6, and 3.5 while Microsoft has released updates for various platforms according to Microsoft Knowledge Base Article 2524375 and they are also supplying additional information in Microsoft Security Advisory 2524375. At the end of last week Google released Chrome 10.0.648.151 to “blacklists a small number of HTTPS certificates” which is almost certainly connected to this incident.
It is worth noting that none of Comodo’s root keys, intermediate CAs or secure hardware were compromised and that Comodo quickly reported the incident to the owners of the domains affected as well as informing the major browser providers and the relevant government authorities.