Bogus Comodo SSL Certs Targeted Google, Yahoo In Attack Linked To Iran


Officials at Comodo believe an attack on a registration authority (RA) emanated from Iran and may have been an attempt at monitoring users of popular Web sites.

While details of the actual breach are unclear, what is known is that on March 15, an attack hit a Comodo affiliate RA and swiped the username and password of a Comodo Trusted Partner in Southern Europe. With the stolen credentials in tow, the attacker or attackers used the compromised account to request nine digital certificates across seven domains, including: login.yahoo.com, mail.google.com, login.skype.com and addons.mozilla.org.

Within hours of the attack, the situation was discovered and all nine certificates were revoked.

“The attacker was still using the account when the breach was identified and the account suspended,” according to a post on Comodo’s security blog by security researcher Phillip Hallam-Baker.

“The attacker may have intended to target additional domains had they had the opportunity…The certificates have all been revoked and no Web browser should now accept the fraudulently issued certificates if revocation checking is enabled.

“The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran,” he continued. “A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP. The server in question stopped responding to requests shortly after the certificate was revoked.”

The potential implications of such an attack are vast. In an advisory, Microsoft warned that the certificates could have been used to spoof content or perform phishing or man-in-the-middle attacks against Web surfers.

In a conversation with CRN, Comodo CEO Melih Abdulhayoglu noted the certificates would only be useful if the attacker had access to a country’s DNS infrastructure. Due to the nature of the domains being targeted -- such as those belonging to Gmail, Skype and Yahoo -- it should be noted that they “would be of greatest use to a government attempting surveillance of Internet use by dissident groups,” according to Hallam-Baker.

State-sponsored attacks targeting CAs (certificate authorities) and registration authorities -- if that's what this truly is -- is a new phenomenon, said Brian Trzupek, vice president of Managed Identity and SSL at Trustwave.

“Given the source country of the attacks and the domain names in the certificates obtained it is reasonable to believe that this may have been the goal,” he said. “Governments have enough infrastructure control to perform wide scale transparent proxying to steal information about their citizens if they gain possession of fraudulent certificates such as these.”

Still, Hallam-Baker noted it was possible the attacker was leaving a false trail despite the involvement of two IP addresses assigned to Iranian ISPs. No Comodo root keys, intermediate CAs or hardware was compromised in the attack, and the incident was reported to the owners of the affected domains as well as the major browser vendors and relevant government authorities, he added.

“If you think about the RSA attack and Comodo together -- this is an attack against foundational security technologies used in e-commerce over the net,” said Anup Ghosh, chief scientist of Invincea. “The attack against RSA undermines faith in strong two-factor authentication. The attack against Comodo undermines faith in SSL-based end-to-end encryption provided by thousands of e-commerce sites.”