Rogue SSL certificates issued for Google, Yahoo, Skype
A Comodo affiliate Registration Authority (RA) has been compromised and the incident resulted in the issue of nine rogue SSL certificates for seven popular domains, reported Comodo today.
The incident happened on March 15th, when unknown attackers managed to get access to one of the user accounts for the RA. They managed to issue certificates for:
- mail.google.com
- www.google.com
- login.yahoo.com
- login.skype.com
- addons.mozilla.org
- login.live.com
- global trustee
“One user account in one RA was compromised. The attacker created himself a new userID (with a new username and password) on the compromised user account,” explains Comodo in a incident report issued today.
“The attack came from several IP addresses, but mainly from Iran. The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.”
So far, Comodo are aware of him receiving only one certificate, but all were revoked immediately. “Our systems indicate that when this one certificate was first tested it received a “revoked’ response from our OCSP responders. The site in Iran on which the certificate was tested quickly became unavailable,” it says.
Kudos to Comodo for the efforts made for responsible disclosure. Immediately after the breach was spotted, they contacted principal browsers and domain owners and appraised them of the situation.
Google and Mozilla have pushed out updates that revise certificate blacklists in their browsers only two days after the breach. Microsoft also issued an update for all supported versions of Windows to help address the issue.
Government authorities have also been notified and have mounted an investigation.
Comodo made sure to point out that its root keys, intermediate CAs or secure hardware were not compromised.
“It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups,” says Comodo in the blog post. “The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.”
It allows the possibility that the two detected IP addresses assigned to Iranian ISPs may be a way for the attacker to lay a false trail, but since the perpetrator has focused on the communication infrastructure and can only make use of the certificates if it has control of the DNS infrastructure, Comodo’s researchers say that this was likely a state-driven attack.
Given the nature of the domains for which the attacker requested the certificates, it does seem like this was a state-orchestrated scheme to harvest usernames and passwords for a future surveillance of email and Skype communication.