Comodo announced this week that a Southern European affiliate had been compromised, resulting in the fraudulent issue of nine digital certificates to sites in seven domains: login.live.com; mail.google.com; www.google.com; login.yahoo.com (3 certificates); login.skype.com; addons.mozilla.org; and “Global Trustee”. Comodo said that the compromise was detected “within hours”, the site owners were notified, and the certificates were revoked “immediately”.
The attacker, which Comodo identified as using a server in Iran, obtained the username and password of the Comodo affiliate and used that information to login to the affiliate’s account and issue the fraudulent certificates.
In response to Comodo’s notification, Microsoft said that it had updated Windows to prevent the fraudulent certificates from being used. These fraudulent digital certificates, which are used by websites to confirm the identity of end users, may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web browser users, Microsoft said.
Abdulhayoglu told Infosecurity that he believes the attack was state-sponsored because the fraudulent certificates could only be used by an entity that controls the DNS infrastructure. “These certificates are totally useless to someone unless they have access to the DNS infrastructure. What are you going to do with this certificate? Nothing unless you have the ability to direct people’s DNS queries”, he said.
The Comodo chief executive said that these fraudulent certificates are of no use to criminals interested in commercial gain; they would only benefit an entity looking to eavesdrop on people’s emails because the sites are all communications related. “There is no financial motivation here. There is only trying to intercept people’s communication”, he stressed.
Abdulhayoglu said that the company has restructured its threat model to account for state-sponsored attacks. Prior to this attack, the company had developed a threat model and security processes focused on attacks by cybercriminals for commercial gain. “We most definitely have taken many different precautions so an attack like this will not happen again.”
Another way to prevent such a breach is to reform the DNS infrastructure, Abdulhayoglu said. “DNS is totally untrusted and insecure. If DNS was secure, then these people would not have attacked the certificate authority.”
Last year, Comodo proposed to set up an international certification authority authorization (CAA) resource board that would enable certificate authorities (CAs) to implement additional controls to reduce the risk of fraudulent certificates.
“We are proposing a process method change in the DNS infrastructure whereby a policy is embedded within the DNS so that the company will dictate the process that will be followed in order to issue a certificate”, Abdulhayoglu explained.
While the Comodo chief executive downplayed the risk from this breach, others wondered about the effects of a more widespread CA breach that was not detected in such a timely fashion.
"Comodo's unfortunate security breach puts many consumers at risk, having opened the door for common and popular websites visited by billions of people every day to have been spoofed", said Fraser Howard, principal threat researcher at Sophos. "From a more long term perspective, let’s hope this incident makes industry players audit, not only their own security systems and policies, but those of their trusted partners as well to protect browsers in the future."
Gregory Webb, marketing director at Venafi, said that the Comodo breach is “just the tip of the iceberg…This is just the beginning of what could be a serious threat from a security perspective.” Webb said that it is a “wake up call” to organizations that heavily depend on certificates, some with tens of thousands of certificates.
Paul Turner, Venafi’s vice president of products and custom solutions, added that when a certificate authority is compromised, organizations need to know how to respond. “If this compromise had been broader, it would require organizations using certificates from that CA to be able to change their certificates very quickly….Most organizations don’t have a complete view of where their certificates are.”