Rogue SSL certificates issued by Comodo
Posted by Patrik Runald on 25 March 2011 04:28 AM
SSL certificates are used to validate the identity of a Web site to users. Yesterday Comodo, a certificate vendor, announced that nine SSL certificates had been bought and issued for the following domains:
Comodo added the rogue certificates to their Certificate Revocation List (CRL) in the evening of March 15, 2011 and Microsoft, Mozilla etc have released updates to their browsers since then.
What does this mean?
The rogue SSL certificates could have been used to set up Web sites that provide fake login services for the services listed above (Gmail, Yahoo, Live, Skype etc). By doing that, whoever was behind this could steal user names and passwords even though the traffic was encrypted with SSL and the user wouldn't know anything was wrong. With the updated CRL list the user would get a warning when visiting a site using any of the rogue certificates and would hopefully not enter any credentials.
Comodo states in their report that a user account at one of their affiliate partners was compromised and used to issue the rogue certificates. The attacker used several IP addresses when doing this, but mainly used an IP address from Iran. According to the investigation done by Comodo the attacker was very quick to issue the certificates, knew exactly which domains to issue them for, and didn't waste any time when doing this.
How do Websense products protect users?
Users who have Windows Update enabled will receive the revoked CRL automatically for Internet Explorer, and if you have automatic updates enabled for any other browser it will download the the CRL as well. Our products also have the ability to check the validity of a SSL certificate and the benefit of doing that is that the product will do it for all users, regardless of which browser they use and if they have the update or not. This feature is not enabled by default in Websense Content Gateway, so follow the steps below to enable the CRL verification.
If the automatic download was disabled, we recommend that you force an update to make sure the latest CRL lists are downloaded. If the download was already enabled, you don't have to do this as the updated CRL list from Comodo was released on March 15 and your Websense product will already have the list installed. Regardless if you have the CRL verification turned on or not, the Advanced Classification Engine will scan the content from any site, including those using the rogue SSL certificates, as long as you have SSL inspection turned on, and block all malicious code.
Read more »