Accidentally Issued Fraudulent Certificates Could Help Phishers

Today, Microsoft released a Security Advisory warning that Comodo — one of their Windows Trusted Root Certification Authority partners — had accidentally issued nine fraudulent digital certificates for some very popular domains.

When you visit sites, digital certificates help ensure that the site you visit really is the one you think it is. Phishers often try to spoof popular sites in order to steal your credentials. Digital signatures can help prevent this by informing you when a site has an improper certificate, which doesn’t match the domain.

Unfortunately, Comodo mistakenly issued legitimate digital certificates to an unknown third party, giving that third party valid (though fraudulent) digital certificates for some very popular domains.

The affected domains or web properties include:

  • login.live.com
  • mail.google.com
  • http://www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org
  • “Global Trustee”

This means an attacker in possession of these fraudulent certificates can leverage them to either create very convincing spoofed sites for those domains, or to help them carry out Man-in-the-Middle (MitM) attacks, even when valid certificates are required.

That said, Comodo has already revoked the fraudulent certificatess. If your web browser supports Online Certificate Status Protocol (OCSP), and you’ve enabled it, then your browser should protect you from sites leveraging these false certificates.

Furthermore, Microsoft has also released a Windows update that revokes these signatures. If you have enabled automatic updates, you may have already received it. Otherwise, be sure to download and install it. Once you install Microsoft’s patch and/or enable OCSP, these fraudulent certificates should pose you no harm.

[UPDATE] Comodo has apparently messed up with certificates before.

Corey Nachreiner, CISSP (@SecAdept)

login.live.com
mail.google.com
http://www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org
“Global Trustee”

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. Apple Releases OS X, Safari, iOS Security Updates | WatchGuard Security Center - April 15, 2011

    […] Snow Leopard update only fixes one security issue. If you read my “Fraudulent Certificate” post from a few weeks ago, you know that attackers were able to get their grubby hands on some […]

  2. More Fraudulent Digital Certificates Leak Online | WatchGuard Security Center - September 12, 2011

    […] mentioned in our Comodo post, when you visit sites, digital certificates help ensure that the site you visit really is the one […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: