Extremely sophisticated hackers, possibly from the Iranian government or another state-sponsored actor, broke into the servers of a web authentication authority and counterfeited certificates for Google mail and six other sensitive addresses, the CEO of Comodo said. The March 15 intrusion came from IP addresses belonging to an …
Comodo declining to name the reseller
means that they themselves must be considered compromised. Worse is that private keys to other-CA signed signing certificates are also compromised. And they're not telling which there either.
Though users of ie and anything else that uses the windows certificate store aren't helped by knowing which certificates are compromised: Removing them yourself just results in the relevant micros~1 processes silently(!) adding them back(!) at the next store access or windows update. It's clearly not up to you who to trust, according to them.
The whole PKI is rife with this sort of silliness, and is why I don't think the whole thing does what it says on the tin. It's merely a way to expensively sell numbers that cause your domain name in the browser bar to turn gold or green or whatever the colour of the week is. And ultimately, that doesn't mean Joe Average User is supposed to understand what it means.
So what's the basic problem with SSL? Well, it's built for function. If it doesn't work, it doesn't work and blocks people from what they want to do, causing popups or errors-within-the-browser-window that mainly serve to annoy, not inform, the end user. CRLs work the same, but have opposite function. When that doesn't work, compromised certificates slip through. A rather insidious hole to abuse.
The exciting crypto part is reasonably well-tested though even things like side-channel attacks aren't to be ruled out. But certificate handling remains the boring, neglected part. It starts with hopelessly convoluted attributes and whatnot that make its encoding, chew toy ASN.1, look sane by comparison. Few people know what any of that even means, nevermind the variations by which various browsers interpret it all. CRLs? Don't work. Meaningful error messages? Say what? You're lucky the browser bar may or may not change colour. Clear paths to recover from compromise? Ha ha!
And the kicker? The very model. Pay some shady company like verisign an exorbitant sum to issue a certificate for a year --meaning compromise will last that long too, worst case-- that is supposed to protect you from, well, those they don't take money from. They're a commercial entitiy. Systemic safety built in right there.
That certificate issuing thing isn't special; just about any SSL implementation can do it. With openssl or mozilla's nss installed (that you get "free" with most mozilla's other software) you have the tools. But if you do you'll just get nagged at by your browser, by comparison unreasonably much nagged at.
The thing that makes CAs special is having a self-signed signing certificate stuffed in the world's certificate databases as "trusted". Go take a look in your browser's certificate store. How many of those "trusted" CAs would you trust? Have you any idea what sort of sites they issue certificates for? Or how they do it? Therefore, do you know what it means, what standards they applied? Have you made informed judgements on whether you wish to trust any of them? Provided you can, which in the case of the micros~1 store you plain can't; in other cases the process is so obscure only PKI geeks bother.
The CA structure behind SSL remains more accidents waiting to happen. I'm surprised it doesn't happen far more often. Then again, crypto nerd Appelbaum only noticed when he actively started to look. Appelbaum's page is quite interesting, and not just because of what he did: Notice how just finding out the compromises is something that has just about everyone not into that have their eyes thoroughly glaze over.
The elephant in the room, though, is the curious silence and covering of the root CA for the compromised RA (USERTRUST), and the large browsers doing exactly the same. Why?
They're commercial entities, so why not apply "free market" on this end, too? Probably because of (perceived) interests with other clients, or even interest in protecting this house of cards, excuse me, valuable security system. Perchance free market doesn't work so well for this. So perhaps we should stop paying CAs or their resellers so much. Maybe time for a different model, and do away with PKI and its associated commercial circus, no?
Wasn't there an issue with COMODO (or one of its lucrative resellers) several years ago? For the longest time, after every windowsupdate/firefox update, I would manually re-delete all of the COMODO CAs from both IE and FF.
SSL itself is ok. The problem is and always has been the CA handling and "chain of trust" problem. The system is broken and anyone with a reasonable knowledge of this stuff knows that it's been broken since day 1. As the OP says though, there's way too much money involved in the business to let anything like "fit for purpose" get in the way. It's a scam. Pure and simple.
The only certificates you can truly trust are those that you issue and sign yourself. Anything else is just paying someone somewhere for ...well ...for what exactly? What does your hard-earned buy you when you go to someone like Verison? Very little indeed. And hugely overpriced very little with it.
"investigators have determined that other non-Comodo accounts held by the partner were also compromised around the same time."
So someone who works at the un-named partner was in on the heist. Solves the mystery nicely if you ask me (which, I'm forced to concede, you didn't).
There are always going to be inside jobs, as long as people work for companies.
I don't run a root CA
I simply have a self signed CA that I use internally. The files required to generate a new certificate are never used on a machine that itself is connected to the internet, which is common advice when setting up your own CA. funny how none of the big boys follow it.
You'd think for upwards of $300 a cert, they could pay someone to take the order from one machine to another machine physically, either on disk or hard copy, and then collect the generated keys from the disconnected system and distribute them to customers. You would have vastly reduced risk..
Course, that would cost actual money, so forget that..
Easier than that, just have a NIC with an unplugged ethernet cable. When that (random!) time of the day comes to process certs, plug it in, hit the xfer button to dump the requests onto the machine, unplug the cable, process, plug in and xfer the results, unplug. Not as sure-fire as a "never plugged in" computer (which, btw has to get updates somehow, right?). Likely better to have said computer behind a firewall and physically plug/unplug the firewall from the rest of the network when needed. Then, if there's a lurking h4x0r program on the network, it will have only a couple minutes to defeat the firewall that was practically unknown to begin with....It beats having to sneakernet everything, but likely not secure enough for the NSA or CIA to be happy....
Stupid Scheme Anyway
The X.509 PKI fails because it assumes we can trust CAs without any contract.
If you look in the trust certificates of your browser you will find authorities you have never heard of (Belgacom?) They just pay money to Microsoft or Mozilla to be there.
And even when you have heard of them -- like Comodo -- they have no obligation to you, the person who actually has to rely on the trust. Even if they were negligent, I can't see you getting very far with any sort of a damages claim.
The only other situation I can think of which is remotely as poisonous is the relationship between rating agencies and bond investors. And look where that led!
(And don't get me started on the assumption that web site operators have the skills to keep control of their private keys in a hosted environment!)
anyone skilled enough to break into remote computers is certainly more than capable of masking his actual ip (and make it look like the attack originated pretty much anywhere in the world).
smells of anti-iran propaganda and smear campaign as usual but dumb masses are easy to fool
And your post
smells of pro-Iran propaganda.
Are they sure its from Iran...
...and not someone using a proxy server to bounce off to make it look like its from another country?
"anyone skilled enough to break into remote computers is certainly more than capable of masking his actual ip (and make it look like the attack originated pretty much anywhere in the world)."
Very true, but Iran sounds more interesting than Russia or China in a press release. If this was the case, there's unlikely a way of finding out, since Iran isn't a particularly co-operative nation at the moment ;)
Hopefully not a stupid question but...
Let's say I have a fake mail.google.com website with a fake certificate on it so far so good. But won't I then face the problem that people won't get to my site as the IP address will be wrong?
...the next step would be to poison the DNS? Just a thought
Given the selection of sites and the paranoia of the middle east, the ability to intercept local traffic (that is local to where you can control the DNS ) might come in handy if you happened to have a popular revolt on your hands. All that lovely Tweeting would go down the bit bucket if your tweets never left the country and were easily read by the local constabulary. Same goes for mail ...
What should I do?
As a layman, do I need to do anything? Or if Comodo et al have revoked the compromised certificates is it all ok now?
Should I delete my Comodo certificates from my browser? Will anything break if I do?
The simple fix is in upgrading your browser.
Chrome and mozilla now both have blacklisted the forged certificates. It's hardcoded so it's a pretty poor fix and another big sign the non-hardcoded way (CRLs) just isn't cutting it. micros~1 also has "fixes" which you need since manually removing comodo's root certificate --while a nice and big hammer, perhaps a bit much so, and really ought to work-- doesn't work because the windows certificate store has "managers" that undo your removals silently and behind your back. The others' certificate stores you could remove the comodo root certificate from but that's not exactly something you'd let lay people do. The tools are there but finding out how they work is a bit involved as the documentation is very poor. Both needlessly so, IMO, but that's a different discussion.
So, the bottom line is that you need to update to the very latest of whatever browser you're using.The updates won't even tell you outright that this is the issue they're addressing, so you get to hope you have the right updates, and that they fix the issue. But realistically, updating is all you can do.
I'll just wait to see if Opera release an update soon.
The compromised certificate is...
L=Salt Lake City
O=The USERTRUST Network
Boycott COMODO - this is unbelievabe ARROGANCE even AFTER the worst just happened...?
It's interesting: you keep rejecting my post about calling for a boycott of these fools...
bread and circuses for the public
But Comodo gives us a free Windows firewall and antivirus package.
Just a cyber war proof-of-concept exploit
Scenarios for a full-blown cyber war abound.
Iranians? I doubt it.
So these super advanced hackers didn't use someone elses computer network to do their work?? Doesn't that sound a little bit unlikely?
Either they aren't super advanced hackers or they aren't Iranian. They can't be both.
Smells like a smear campaign to me. More likely to be be anyone but the Iranians.
More likely to be Russian, Chinese, US or Israeli given recent developments in cyber-terrorism.
STUXNET CROSSBREEDS WITH WATSON, AWAKENS, STEALS CERTIFICATES!
Also implicated in Fukushima incident. Film at 11!
Have the other browser authors updated their trusted CA roots? (Apple [Safari], Opera, KDE [Konqueror] and Gnome [Epiphany] et al).
Who's CA was removed by Mozilla's update (probably the easiest to check).
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip