back to article Como–D'oh! Infosec duo exploits OCR flaw to nab a website's HTTPS cert

Two European security researchers exploited Comodo's crappy backend systems to obtain a HTTPS certificate for a domain they do not own. That cert could be used to impersonate the website, allowing passwords and other sensitive information to be swiped from victims in man-in-the-middle attacks. The infosec bods, Florian Heinz …

  1. Jim Mitchell
    FAIL

    "Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot."

    Seems the fail is partially at the WHOIS service end, in using a font that is ambiguous.

    1. Doctor_Wibble
      Megaphone

      just the font?

      Or possibly a problem in that a business needs data from another business and does not have some proper arrangement whereby they get the actual data instead of the proverbial faxed photocopy of a five pound note.

      Just to be a bit devil's-advocate here, are Comodo a true villain here or simply a victim (admittedly unwise) of the circumstances?

      1. Lee D Silver badge

        Re: just the font?

        Well, I once signed up a school for Microsoft's volume licensing program.

        The sign-up is all electronic, they verify everything via Microsoft Live accounts, you log into the VLSC with those same accounts, you add others (e.g. billing) via the same accounts, and so on.

        At no point do you fill out a piece of paper or write anything down.

        Yet, one year when I was signing a school up they were taking forever. We eventually got to the bottom of it - someone had "misspelled" administrator in our email address. My first question was, how the hell have you misspelled a word that we've only submitted ever to you electronically?

        Someone at Microsoft sits and types in volume licence administrator email addresses by hand, from entirely electronic forms and emails.

    2. Ken Hagan Gold badge

      It's not the wrong font. It's the wrong text. Alongside "Il1.com" the image should give the Unicode values of the characters as hex vaues. Any OCR software that couldn't read *that* would be unworthy of the name.

  2. Anonymous Coward
    Childcatcher

    So:

    * Someone wants an internet presence and registers an address.

    * They want a SSL cert to assert their identity

    * They want to remain anonymous

    "The issue, it seems, is due to privacy protections in place on the .eu and .be domains. In order to prevent the scraping of contact details, some registries and registrars do not allow automated WHOIS lookups to pull email addresses. Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot."

    You can't both be who you say you are and remain anonymous. So Comodo should not put in a funky bodge unless it really is human or as good as.

    1. tom dial Silver badge

      The obvious replacement of the OCR by humans seems likely to bring a positive error rate as well, quite possibly in the same range as the OCR system. It is not even unlikely that the human error rate would be larger as they get fatigued, unlike the OCR software.

      1. PNGuinn
        FAIL

        Hooman errer

        "The obvious replacement of the OCR by humans seems likely to bring a positive error rate as well, quite possibly in the same range as the OCR system. It is not even unlikely that the human error rate would be larger as they get fatigued, unlike the OCR software."

        Quite. .... With the work outsourced to the best people available on the globe - oops - I mean somewhere with the cheapest possible labour rates where the cross eyed staff work 29 hour days squatting in a shed lit by the equivalent of a couple of hurricane lamps trying to parse a character set totally different to that used by their own language ....

        Internet of 'fings. That'll fix it. Well, someone had to say it.

    2. Anonymous Coward
      Anonymous Coward

      not quite

      They don't always want to remain anonymous-- probably they want their registrar to not routinely give out their email address to harvesters as ASCII/UTF-8/etc. I think.

    3. Jon 37
      Boffin

      > "a SSL cert to assert their identity"

      > "You can't both be who you say you are and remain anonymous."

      Normal SSL certificates don't have anything to do with real-world identity, so they can certainly be anonymous.

      Normal SSL certificates assert that "the person who has the private key matching public key 12345 is the owner of example.com". This is called "Domain Validation", or DV, and is the most common kind of SSL certificate.

      There's also Extended Validation (EV) certificates, which check the real-world identity of the company. They assert that "the person who has the private key matching public key 12345 is Example Corporation and is the owner of example.com". In that case, the browser's address bar will go green and show the company name. These certificates are much more expensive, because the CA has to do more manual checking of identity.

      1. Destroy All Monsters Silver badge

        These certificates are much more expensive, because the CA has to do more manual checking of identity.

        In the case of Comodo, they are also want you to sign a contract that is ridiculously unacceptable even to the non-legal eye ("if there is a problem, you pay us damages and we owe you nothing"), but that's just by-the-by.

  3. Kevin McMurtrie Silver badge

    Blame the registrar too

    So some registrars are displaying e-mail addresses at images to prevent automated harvesting, and those images are harvested with less than perfect reliability. It sounds 100% blame should be put on those registrars for implementing a solution that breaks things to fix nothing.

  4. frank ly

    Trust?

    Can't organisations like Comodo be 'whitelisted' by the registrars so they can lookup entries? They could do this for multiple offices by redirecting their enquiries through a single whitelisted IP address.

    1. G2
      Black Helicopters

      Re: Trust?

      that trust is regularly abused...what makes you think that the trust endpoint won't receive a secret order that forces it to harvest data?

      Cisco's firmware&hardware has been regularly backdoored while in transit, the Lavabit debacle, the current Microsoft-overseas-data jurisdiction issue and the recently revealed gag&spy company-wide email interception at Yahoo! proved beyond all doubts that such a whitelist/endpoint can and WILL be abused by Uncle Sam.

      Comodo is no different in this aspect than Cisco, Yahoo, Microsoft or Lavabit ... they all are (or were) US-registered companies and at the mercy of the secret gag&spy orders..

      Comodo:

      Registrant Organization: Comodo Group, Inc.

      Registrant Street: 1255 Broad Street

      Registrant City: Clifton

      Registrant State/Province: NJ

      Registrant Postal Code: 07013

      Registrant Country: US

      1. frank ly

        Re: Trust?

        So, the secret tentacles of the US government would subvert Comodo as part of their nefarious plans to find out who owns various websites. Their evil, and their inefficiency, knows no bounds.

        1. Destroy All Monsters Silver badge
          Alien

          Wickus!

          I hope someone will make a YouTube video about websites secretly held by aliens that the govnmt doesn't want to tell us about.

          Maybe with alien pr0nz excerpts.

          1. brotherelf

            Re: Wickus!

            "Maybe with alien pr0nz excerpts."

            That part of your wish has been granted: somebody's taken a good deep look at the neural-net mechanisms Yahoo!1!! uses for NSFW detection and has come up with, errr, false positives, I guess: https://open_nsfw.gitlab.io/

    2. PNGuinn
      Pirate

      Re: Trust?

      "Can't organisations like Comodo be 'whitelisted' by the registrars so they can lookup entries? They could do this for multiple offices by redirecting their enquiries through a single whitelisted IP address."

      And how many of those "organisations" would YOU trust?

    3. Alan J. Wylie

      Re: Trust?

      The last paragraph of Comodo's report (linked to by the original article):

      Comodo finds it regrettable that some registries choose to offer a port 43 WHOIS service which redacts information for all registrants which even the registry themselves would normally consider to be public. We find it even more regrettable that a sub-set of those registries refuse to consider offering unredacted access to that information even when contractual and/or commercial terms (including binding restrictions on the use of that information) are offered.

      1. Doctor_Wibble
        Thumb Up

        Re: Trust?

        Well spotted, a million upvotes for getting that far.

        I had wondered WTF was going on that they couldn't get actual data and although that answers the question it's borderline unbelievable (or on reflection maybe it isn't) that businesses could have such uselessness in their paid-for services.

  5. Mage Silver badge

    Il

    Capital i and small L

    Never mind 1 I and l

    1. Solmyr ibn Wali Barad

      Or the endless fun with two same-looking "I" characters in the Turkish language.

      mattryall.net/blog/2009/02/the-infamous-turkish-locale-bug

      haacked.com/archive/2012/07/05/turkish-i-problem-and-why-you-should-care.aspx/

      Plenty of opportunities for using them in cybersquatting and scams.

  6. JeffyPoooh
    Pint

    It worked exactly as intended...

    Difficult for bots to read.

    Success!

    LOL

  7. Gene Cash Silver badge
    Coat

    So next Comodo will be putting them up as home-brew captchas?

  8. Paul

    Here be K/Comodo dragons!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like