Sir, you are a polypragmatist. Mind your own business
|
|
|
Comodo admits hackers issued fraudulent SSL certificates
WEB SECURITY OUTFIT Comodo has admitted that an affiliate registration authority (RA) was compromised leading to the issuance of fraudulent secure sockets layer (SSL) certificates.
Although Comodo's RA was compromised, the firm confirmed that its root keys and intermediate certification authorities were unaffected in the attack. Nevertheless, the compromised RA allowed several bogus SSL certificates to be issued, which have now been revoked.
While Comodo has revoked the SSL certificates, Microsoft has taken more direct action on this issue, releasing a patch that is a "mitigation update", as one of the fraudulent certificates could potentially affect Windows Live ID users when they try to login at login.live.com.
Comodo claims the breach at its RA was due to the attacker getting hold of a username and password of one of its Trusted Partners in southern Europe. Perhaps more worrying is that at this point Comodo says it is "not yet clear about the nature or the details of the breach suffered by that partner".
While Comodo doesn't have the details about how the account was compromised, it claims to have recorded the IP address of the computer used to initiate the attack. Comodo said that the IP has been traced back to an Internet service provider in Iran. However the firm took the responsible attitude of saying that while the IP addresses might be from an Iranian ISP it does not necessarily mean that Iranian nationals conducted the attack.
However, though Comodo tempered any suggestion that Iran might have been behind the attack, the firm added that the domains targeted "would be of greatest use to a government attempting surveillance of Internet use by dissident groups".
SSL certificates work on the premise that the issuing body is trusted. Firms such as Verisign, Thawte and Comodo promote themselves as sophisticated, secure operations that can be trusted to issue certificates. While Comodo deserves credit for admitting what happened, that part of its system used to issue SSL certificates was compromised by a third party getting access to a login and password will raise serious concerns for the firm and its customers.
All this goes to show that even SSL certificates are not foolproof for guaranteeing the security of communications on the Internet. µ
Tags: Microsoft
Share this:
Share
Secure transactions on Paypal, Amazon.com, Microsoft and your bank would be gravely at risk. I could forge a certificate and fool your computer in trusting my certificate as the real deal as you hand over vital details about you unknowingly. The Internet is built on secure trust to move private data and money around. An attacker can then go on and commit identity theft as you put your faith in the Comodo Firewall. Your Comodo Firewall can be compromised in a separate attack by causing a buffer overflow or a stack dump rendering it useless. Hardware firewalls are better. In a real story, someone back in 2001 one compromised a CA to issue them a certificate saying that they were Microsoft. The Bad is, it uses SSL and could of sent a payload of viruses and Trojans using a fake WindowsUpdate to you. Since your machine trust them your firewall would of been useless. A firewall is not an end all solution. It can be compromised if you don't know how to manually write custom rules and still there are no guarantees.
A Certificate Authority like comodo has two main objectives, 1 is to protect the customers private keys and the other is to validate the company applying for an ssl certificate.
"The company said in another statement that the compromise was made using an affiliate authorized to do primary validation of certificate requests."
Ok, an affiliate may do the primary validation of the certificate but it is the CA that has to do the final check and release the SSL. What they are saying is someone has entered an affiliates system ordered and issued the SSL without validation meaning that Comodo allows their partners to do this for them without checks.
I have worked in the CA background before (previously for many years) and the mentioned CA has allowed this to happen before (cert issued for Mozilla.com through another a partner). There are also other instances..
My Questions are, they are a security company protecting me and you so why did they not deal with this issue back then? Why after last time did they not fix the problem and stop partners issuing their SSL certificate?
I personally think Google, Mozilla, Skype and Microsoft should sue Comodo using the warrenty they promote in their SSL certificates. Or take their root out of the browsers
The title of this post should be investigated!!!
As a Comodo firewall user, but not even close to savvy in SSL, I would appreciate some interpretation of what this could mean for me. Otherwise the information is pretty useless to me.