Fraudulent SSL Certificate Warning
US-CERT, Microsoft, Mozilla and other organizations have issued warnings regarding fraudulent (fake) SSL certificates being issued.
According to the Comodo Group, Inc., the certificate authority responsible for issuing the fraudulent certificates, a Comodo affiliate RA was compromised on March 15th 2011, resulting in the fraudulent issue of 9 SSL certificates to sites in seven domains.
According to Microsoft, the certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. Comodo emphasizes each of the certificates were revoked immediately on discovery and that their monitoring has not detected any attempted use of the certificates after their revocation.
The fraudulent certificates affect the following Web properties:
• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”
Accorindg to Mozilla, users on a compromised network could be directed to sites using the fraudulent certificates and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site. Mozilla has updated Firefox 4.0, 3.6, and 3.5 to recognize the certificates and block them automatically.
Comodo’s incident report shows that the attack came from several IP addresses, mainly from Iran. According to the report, “The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.”
Additional Resources:
• Mozilla
• US-CERT
• Comodo