Microsoft warns: Fraudulent digital certificates issued for high-value websites

Microsoft warns: Fraudulent digital certificates issued for high-value websites

Summary: According to the Microsoft advisory, the fraudulent Web certificates affect the Microsoft Live service, Google's mail system, Yahoo and Skype log-ins.

SHARE:

Microsoft today warned that Comodo has issued nine fraudulent digital certificates to a third party whose identity could not be sufficiently validated, a scenario that could allow attackers to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web surfers.

According to the Microsoft advisory, the fraudulent

Web certificates affect the Microsoft Live service, Google's mail system, Yahoo and Skype log-ins.

follow Ryan Naraine on twitter

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org
  • "Global Trustee"

The fact that valid HTTPS certificates for high-value web sites were issued to attackers is a worrying development (see essay from the Tor Project), especially since Comodo is a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows.

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

The Tor Project's Jake Appelbaum has seen evidence of Mozilla and Google also revoking certificates on Firefox and Chrome.

Mozilla has confirmed it has blacklisted the fraudulent certificates and warns of the potential risks:

Users on a compromised network could be directed to sites using the fraudulent certificates and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site.

Microsoft has pushed out an update for all supported versions of Windows to help address this issue and notes that no action is required from Windows users with automatic update enabled.  The company's advisory contains instructions on manually applying the update.

UPDATE: Attack originated in Iran

Comodo has published a blog post and an incident report with a claim that the attack originated from IP addresses in Iran.

An attacker obtained the username and password of a Comodo Trusted Partner in Southern Europe. We are not yet clear about the nature or the details of the breach suffered by that partner other than knowing that other online accounts (not with Comodo) held by that partner were also compromised at about the same time.

The attacker used the username and password to login to the particular Comodo RA account and effect the fraudulent issue of the certificates.

The attacker was still using the account when the breach was identified and the account suspended. The attacker may have intended to target additional domains had they had the opportunity.

Remediation efforts began immediately the breach was discovered. The certificates have all been revoked and no Web browser should now accept the fraudulently issued certificates if revocation checking is enabled. Additional audits and controls have been deployed as described in the detailed incident report.

The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP. The server in question stopped responding to requests shortly after the certificate was revoked.

While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail.

It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.

The incident report offers even more details:

  • The circumstantial evidence suggests that the attack originated in Iran.
  • The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).
  • The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
  • The perpetrator has executed its attacks with clinical accuracy.
  • The Iranian government has recently attacked other encrypted methods of communication.
  • All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

"The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him," Comodo said.

Topics: Security, Hardware, Microsoft, Operating Systems, Servers, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

62 comments
Log in or register to join the discussion
  • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

    Now thats interesting, if the certificate providers are not able to validate the request, whom should we trust while we are at https?
    Ram U
    • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

      @Rama.NET : Maybe this attack was in response for the Stuxnet virus.
      cosuna
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        @cosuna : That's very plausible, but not certain
        nomorebs
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        @Ryan Naraine: For a series of events there is some likelihood that could be from 0 to 1. By saying "likely" you mean that in your opinion the likelihood of a Iranian-state-driven attack is high (how high, I don't know, but in your mind it _has_ to be greater than 0.5 (= chance)). Now, you may be right, but I don't think your premises lead to your conclusion. The only strong premise you have in favor of your conclusion is that Iran was attacking "other" encrypted methods of communication. Maybe you didn't mention additional relevant information. For __example__, is it the only one doing such kind of attacks? <br><br>I'm not Iranian, or from the middle east, or even Muslim, so I'm not defending the Ayatollah! I just don't buy that with the info you provided you can reach the conclusion you presented here.
        nomorebs
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        @cosuna
        Could be.
        Ram U
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        <i>I'm not Iranian, or from the middle east, or even Muslim, so I'm not defending the Ayatollah! I just don't buy that with the info you provided you can reach the conclusion you presented here.</i><br><br>Sure pal, sure. And I have Mickey Mouse I can sell you. He's actually telling you something here.<br><br><a href="http://www.flickr.com/photos/mojodaisy/159946371/in/faves-mattfrigault/" target="_blank" rel="nofollow">http://www.flickr.com/photos/mojodaisy/159946371/in/faves-mattfrigault/</a>
        HarryBrown
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value

        @cosuna

        I don't think that is very likely. More likely is that they wanted to use it for more nefarious purposes, such as violating security on Twitter of Facebook to get information on dissidents using those accounts.

        But the real problem is that we just don't know what they were planning to do with it, since they could do so much if not for the prompt revocation. This entire incident is an example of why it is important for CAs to do real validation like VeriSign does to make sure they really know who they are giving the cert to.
        mejohnsn
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        @cosuna
        This is the height of fraud
        bansidhar9
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        <a href="http://www.lizfields.com/Product/Wedding-Dresses">Wedding Dresses</a>

        Another very solid tutorial. Thank you. Not something I can use right now but I bookmarked for the future.
        Amanda123456
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        <a href="http://www.lizfields.com/Product/Wedding-Dresses">Wedding Dresses</a>

        Another very solid tutorial. Thank you. Not something I can use right now but I bookmarked for the future.
        Amanda123456
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        <a href="http://www.lizfields.com/Product/Wedding-Dresses">Wedding Dresses</a>
        Hey about i do believe your weblog is rather F - Enjoyable i found it in google and i set it on my favorite list wish to see further great posts from u shortly.
        Amanda123456
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        <a href="http://www.lizfields.com/Product/Wedding-Dresses">Wedding Dresses</a>
        Hey about i do believe your weblog is rather F - Enjoyable i found it in google and i set it on my favorite list wish to see further great posts from u shortly.
        Amanda123456
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        The attacker was still using the account when the breach was identified and the account suspended. The attacker may have intended to target additional domains had they had the opportunity.
        <a href="http://www.webbluemli.ch ">SEO - Guide</a>
        manjari123
    • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

      @Rama.NET - standard SSL certs make no assertions as to the identity of the site your're accessing, nor its owner. All that a standard SSL cert provides is a way to encrypt data between a client PC and the server on which the private key is stored.

      <a href="http://en.wikipedia.org/wiki/Extended_Validation_Certificate">Extended Validation (EV) Certificates</a> on the other hand are supposed to assert the identity of the certificate owner. EV-Cert's turn your address bar green and provide some information about the identity of the owner of the cert.

      CA's are supposed to perform an extended set of idenity checks before issuing an EV-Cert, including sending someone to the company's registered address to check that they are who they claim to be.

      Alas, the attacker in this case managed to obtain the login credentials of someone with rights to download certs for companies that have already completed the cert validation process.

      Who this "trusted partner" is though is worrying since they also had access to domains NOT serviced by Comodo.

      Asserting that this attack was authorized and/or carried out by the Iranian government is, however, curcumspect at best deluded at worst.
      bitcrazed
      • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

        [i]Asserting that this attack was authorized and/or carried out by the Iranian government is, however, curcumspect at best deluded at worst.[/i]

        Really? What makes you say that?

        Although there is no definitive proof, you make it sound as if such a thing is wildly implausible and not even a factor to even be taken into consideration.
        anonymous
      • They do not have to come to the business for EV certs

        @bitcrazed "including sending someone to the company's registered address to check that they are who they claim to be." is not true. I work for a company who has an EV certificate, and while the process is very involved and requires 3rd a party CPA, they do not need to physically come to the business, that would not be feasible.
        billvsd
      • Where &quot;Standard SSL certs&quot; really come from

        @bitcrazed

        Huh? How did you think the company issued a "standard SSL cert" gets it? The CA is supposed to do that validation itself, so that even though the details of it are unavailable to the end user, the end user can trust that the CA has verified that the name of the company appearing in the cert is the real name of the company they are dealing with.

        This has long been the case with certs issued by VeriSign. Comodo deserves to be boycotted and permanently disbarred from the CA business for this breach.
        mejohnsn
    • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

      @Rama.NET from the description it is not the certificate providers fault. It is one of their partners who had an id and password compromised.
      Al_nyc
  • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

    This is a joke of a company I must say. How in the heck did someone trick them into issuing these certs for some of the biggest companies on the planet? I have been through the validation process and its interesting that they wouldn't investigate deeper for someone wanting a cert for these high value targets. Comodo used to call me all the time and I am glad their pricing didn't convince me to go with them. I recommend Entrust for anyone looking for a real certificate authority. Comodo can just go away at this point. Idiots.
    OhTheHumanity
    • RE: Microsoft warns: Fraudulent digital certificates issued for high-value websites

      @OhTheHumanity

      If you go re-read the story it has your answer.
      KTLA