Comodo SSL certificates compromised

Whenever you visit a secure website (HTTPS) your browser verifies that site is properly secured based on the sites certificate. If the site doesn't have a valid certificate, most browsers make it pretty clear that the site you are visiting cannot be verified as an actual secure site. It all works pretty well to ensure your browsing experience is safe until the company issuing the certificates is hacked. 

Comodo admitted yesterday that on March 15, 2011 a Registration Authority (RA) in southern Europe was compromised and fraudulent certificates were created. The hacker some how gained access to an administrative username and password which they then used to create themselves their own username and password to create SSL certificates for login.live.com, mail.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and Global Trustee.

As soon as they found out the fraudulent certificates were created, Comodo immediately revoked them. They also said that only one of the certificates was tested and it received a revoked response. The site that the hacker used to test it was immediately unavailable after the certificate failed. The attack originated from an Iranian IP address and the server used to test the certificate was based in Iran. This led Comodo to draw the following conclusions:

The circumstantial evidence suggests that the attack originated in Iran. 
The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might). 
The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
The perpetrator has executed its attacks with clinical accuracy.
The Iranian government has recently attacked other encrypted methods of communication.
All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

Fortunately, the certificates the hacker created would not be useable unless they were able to take over the DNS to point the domains for the fraudulent certificates to his own servers IPs.

Report a problem with article
Previous Story

OMG! Oxford English Dictionary adds LOL

Next Story

Brothersoft: Product quality, not important any more?

38 Comments

Commenting is disabled on this article.

Comodo is a joke of a company anyway. Their ****ty firewall is worse than Vista's UAC implementation (confirm/deny EVERYTHING, doesn't remember choices). Their take on Chrome is a completely useless addition; basic fundamental security practices will net you the same result. Bottom line: Don't rely on some crappy third-party "security" company to make wise choices for you. Best to learn and practice them yourself.

Why is kevpan815 submitting so many comments?

As for the topic (SSL certs), the hackers are probably just testing the waters on how to break into the SSL certs infrastructure.

kevpan815 said,
I did not know that you could run MAC OSX on a PC!
Do you not know how to reply to a post without making a new comment

Also why exactly are you posting about end of support dates for various OSes and talking about smartphones?

kevpan815 said,
I did not know that you could run MAC OSX on a PC!

Yup, just google "Hackintosh" or "OSx86" or "Mac OS X on PC"; some people are even running the Developer Edition of OSX Lion on PC hardware! Check out the video below to get a general idea of what I'm working with (Note: The Videos are old; there have been a lot of changes and improvements in the field since.)
http://vimeo.com/6213744

kevpan815 said,
Right now I am running Windows 7 on my Brand New Mac Mini with out Mac OSX!

I'm running Apple OS X (Snow Leopard 10.6.7), Microsoft Windows 7 SP1 (Ultimate Edition), and Linux Mint 9 (LTS) all on my little MSI Wind U100 Netbook Computer with 2GB RAM, 1.6GHz Intel Atom Processor, and 500GB Disk Drive. It's a nice triple boot setup. My Windows 7 is sandboxed in so well, due to the hybrid Partition Table scheme, that even Microsoft's Service Pack 1 refused to install initially, it took some major trickery to get it installed properly and then get everything back to the way it was before.

keuka said,

I'm running Apple OS X (Snow Leopard 10.6.7), Microsoft Windows 7 SP1 (Ultimate Edition), and Linux Mint 9 (LTS) all on my little MSI Wind U100 Netbook Computer with 2GB RAM, 1.6GHz Intel Atom Processor, and 500GB Disk Drive. It's a nice triple boot setup. My Windows 7 is sandboxed in so well, due to the hybrid Partition Table scheme, that even Microsoft's Service Pack 1 refused to install initially, it took some major trickery to get it installed properly and then get everything back to the way it was before.

I gave up on the dual booting stuff a long time ago. Not much sense to it anymore, IMO, especially if it involves some "trickery" to get something installed, that should install with no issues. Even less sense to triple booting.

Glad I came across this article though. All updated and no reboot required!!

dreamsburnred said,
Can't trust any technology.
How do YOU buy things at a store? They all use "technology" now. Even if you pay cash, you are depending on barcodes and other technology.

At any rate: I don't have a WP7 so all I have 2 do is worry about updating my computer, as far as cell phones are concerned I am an Apple IPhone 3GS Fan!

kevpan815 said,
At any rate: I don't have a WP7 so all I have 2 do is worry about updating my computer, as far as cell phones are concerned I am an Apple IPhone 3GS Fan!

+1
Me Too! 32GB White Apple iPhone 3GS

A lot of people don't know this, but all versions of Windows Vista except Business and Enterprise Sunset next year whereas All Versions of Windows XP don't sunset till 2014 because Microsoft extended home versions of Windows XP 2 NOT expire until Extended Support ends 4 XP however they did not do the same 4 VIsta and 7 yet! Only Business and Enterprise get extended support 4 Vista and only Professional and Enterprise editions get extended support for 7! They will expire in 2017 and 2020.

On the support lifecycle page, Vista Home doesn't have a date listed for the end of Extended Support. I think it would be fair to assume that the home versions will keep getting security updates until all non-contractual support ends for Vista. I think Microsoft has given Vista users enough shaft that they don't need to cut off security updates even when they're still being developed, tested and released for the Business and higher classes. Until then, it really just means that there's no promise to keep developing new stuff for the OS like Internet Explorer and Windows Live Essentials.

kevpan815 said,
A lot of people don't know this, but all versions of Windows Vista except Business and Enterprise Sunset next year whereas All Versions of Windows XP don't sunset till 2014 because Microsoft extended home versions of Windows XP 2 NOT expire until Extended Support ends 4 XP however they did not do the same 4 VIsta and 7 yet! Only Business and Enterprise get extended support 4 Vista and only Professional and Enterprise editions get extended support for 7! They will expire in 2017 and 2020.

Looks like you're not looking properly. The Microsoft lifecycle webpage says that Extended Support for Vista ends 2017 for Business and Enterprise, while there is no date for the other editions. XP is already in Extended Support (unlike Vista, which has MAINSTREAM support now) and this ends in 2014.

Microsoft supports home user Operating Systems for 5 years as Mainstream Support, and then they offer Paid Support on Business Operating Systems only for an additional 5 years as Extended Support 4 Windows. WP7 might be different however as Cell Phobe Technology frequently changes more rapidly than computers.

kevpan815 said,
Microsoft supports home user Operating Systems for 5 years as Mainstream Support, and then they offer Paid Support on Business Operating Systems only for an additional 5 years as Extended Support 4 Windows. WP7 might be different however as Cell Phobe Technology frequently changes more rapidly than computers.

Please use the "Reply" button when responding to another post. It makes it difficult to figure out what you're referring to otherwise.

it is now very interesting, how quickly MS will update WP7's IE with this CRL. I except not more than 2 years.

cpu said,
it is now very interesting, how quickly MS will update WP7's IE with this CRL. I except not more than 2 years.

Didnt MS release an update to the CRL two days ago? Doesn't IE use the windows certificate manager?

warwagon said,

Is that an optional update or an automatic update? I don't think my media center has installed it. It would usually do so at night.

Was automatic I think.

Lucas said,
Damn, close one!

Recently I am reading about serious security issues around, RSA secureID, certificates, DNS, all internet traffic passing by 'some' country for a period of time....

so hear Engineers & Developer: Security is serious, be more careful !!!

ramik said,

Recently I am reading about serious security issues around, RSA secureID, certificates, DNS, all internet traffic passing by 'some' country for a period of time....

so hear Engineers & Developer: Security is serious, be more careful !!!

All this points us to the fact to just switch over to ipv6 and not live in the cave. ipv6 is more secure too isn't it. So what are we saving on and risk ourselves. Its like using rocks against a tank.