December 4, 2016

Fraudulent SSL Certificates In Wild That Could Allow Spoofing

It has been revealed that an affiliate of Comodo, a security company, was compromised resulting in the fraudulent issue of nine SSL certificates for existing domains including mail.google.com, www.google.com, login.yahoo.com and addons.mozilla.org. These certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users.

Comodo is reporting that the compromise was detected within hours and the certificates revoked immediately. However Microsoft, Google and Mozilla have updated their web browsers to ensure that these fraudulent certificates are rejected.

Mozilla has updated Firefox 4.0, 3.6, and 3.5 while Microsoft has released updates for various platforms according to Microsoft Knowledge Base Article 2524375 and they are also supplying additional information in Microsoft Security Advisory 2524375. At the end of last week Google released Chrome 10.0.648.151 to “blacklists a small number of HTTPS certificates” which is almost certainly connected to this incident.

It is worth noting that none of Comodo’s root keys, intermediate CAs or secure hardware were compromised and that Comodo quickly reported the incident to the owners of the domains affected as well as informing the major browser providers and the relevant government authorities.

It is interesting to note that the two IP addresses involved are assigned to Iranian ISPs, but this may just be the result of an attacker attempting to lay a false trail. However government attacks against social networking sites are not new. A few months ago it was reported that the Tunisian Internet Agency was harvesting passwords and usernames of bloggers, reporters, political activists, and protesters by injecting hidden JavaScript into many popular site login pages.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks