Comodo certificate compromise has Iranian fingerprints

As reported by Computer Weekly yesterday, Microsoft has warned that fraudulent certificates for Google, Microsoft Live, Mozilla and Yahoo may be used to spoof content from popular web sites.

Peter Eckersley, senior staff technologist with the Electronic Frontier Foundation, says the hacking incident "got close to, but was not quite, an internet-wide security meltdown."

And now the AFP newswire is reporting that hackers in Iran posed as a European affiliate of Comodo to get digital certificates, allowing the creation of imitation Google, Yahoo!, Microsoft or Skype log-in pages.

Citing a blog from Comodo, the newswire says that the attacker was well prepared and knew in advance what he was to try to achieve, adding that he seemed to have a list of targets that he knew he wanted to obtain certificates for.

"One of the online identities was tested on an Iranian computer server but the others appeared not to have been used, according to Comodo, which said that it revoked the credentials within hours", says the AFP newswire, adding that whoever was behind the attempt appeared to be out to monitor or intercept email messages or Skype calls.

Commenting on the saga, certificate management specialist Venafi has warned on potential lost business and brand reputational damage.

Jeff Hudson, the firm's CEO, said that digital certificates are used as a signal to the Internet user that the site is trusted, but if the system that provides the trust is compromised, it effectively becomes close to worthless and unsecure.

"This saga, whatever its cause, is going to set back Internet users' trust in web sites", he explained.

"Previously, one of the few ways that cybercriminals could fool users of high-profile and trusted web sites was to stage an evil twin or man-in-the-middle style of attack. By using this approach, the hackers are hitting at the heart of the trust amongst users. That's very dangerous", he said.

Hudson went on to say that the trust issue will also extend to business users of the affected sites, as - unlike a consumer or small business PC's web browser that warns about an expired certificate -enterprise systems do not distinguish where the certificate came from and provide no warning messages when there is a failure.

If there is a problem with the certificate or related keys, he says that the systems or applications will simply stop working, without the businesses knowing what has happened - until their technical people get involved.

Because of these issues, this saga really is a big problem for the affected companies, says the Venafi CEO.

Whilst consumer trust can be rebuilt over time, businesses are very often completely turned off if a security compromise causes their systems to stop working.

"If you believe that the Comodo certificate spoof will be the last CA to be targeted or breached, the question is how can organisations best prepare for the eventuality of another Comodo-style breach or the need to quickly respond to a report of a forged certificate?"

What’s Hot on Infosecurity Magazine?