Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Firm points finger at Iran for SSL certificate theft

Gregg Keizer, Computerworld | March 24, 2011
Iran may have been involved in an attack that resulted in hackers acquiring bogus digital certificates for some of the Web's biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo, a certificate issuing firm said today.

Three certificates were acquired for Yahoo, said Microsoft, and one each for the others.

The attack and acquisition of the certificates has prompted Google, Microsoft and Mozilla to issue updates so users of their browsers will be warned if they try to reach a site that's serving up one of the phony certificates.

Google was the first to react: It updated Chrome last week.

On Tuesday, Mozilla shipped updates for its Firefox 3.5 and Firefox 3.6 browsers to do the same; it had already revamped Firefox 4 before the new browser's Tuesday launch.

Microsoft followed today with an update to all Windows users that adds the nine certificates to the operating system's blacklist, which Internet Explorer accesses. The update has been pushed to Microsoft's Windows Update service for users running Windows XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2.

Comodo said the attackers obtained the certificates on March 15 using a username and password assigned to a company partner in southern Europe. It has not identified the partner but admitted it didn't know all the details.

"We are not yet clear about the nature or the details of the breach suffered by that partner, other than knowing that other online accounts -- [although] not with Comodo -- held by that partner were also compromised at about the same time," Comodo said.

Storms called Comodo's failure a major security event. "It's a big deal when a trusted authority issues something it clearly shouldn't have," Storms said. "People start second-guessing whether a site is really what it says it is."

It could also be a financial hit to Comodo, Storms added, pointing out that certificate-issuing authorities regularly post bonds for liability reasons or to prepare for potential lawsuits when problems crop up.

"Comodo has put money on the validity of their certificates," Storms said.

It isn't surprising that attackers would be very interested in acquiring certificates to such major Web players as Google, Microsoft and Yahoo.

"They're getting a lot for their buck," said Storms, referring to the hackers' efforts.

Comodo said it reacted to last week's attack "within hours" and revoked the certificates. "At no time were any Comodo root keys, intermediate [certificate authorities] or secure hardware compromised," the company asserted.

Even though the certificates have been revoked, Chrome and Firefox users should be sure to update their browsers, said Storms, and IE users should deploy today's Windows update from Microsoft.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.