Feeds

CA issues no-questions asked Mozilla cert

Snafu highlights wider trust problem

5 things you didn’t know about cloud backup

Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks.

MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation. The approach might be used, for example, to trick a user into handing over online banking login credentials in the mistaken belief that they are talking directly to a financial institution.

Normally untrusted certificates from an unknown issuer are used by fraudster sites in these kind of scenarios. This would generate error messages or warnings that flag up possible problems, at least to the more internet-savvy.

These types of warnings disappear if miscreants add a legitimately-issued certificate into the mix.

You might think security credential firms would be wise to this kind of ruse and in most cases they probably are but security blogger Eddy Nigg discovered that he was able to get a low-assurance digital certificate for Mozilla.com. The certificate was issued by a reseller of digital certificate firm Comodo. Nigg was shocked that the approach was successful.

"Five minutes later I was in the possession of a legitimate certificate issued to mozilla.com - no questions asked - no verification checks done - no control validation - no subscriber agreement presented, nothing," he writes.

"With the understanding about MITM attacks, the severity of this practice is obvious. No encryption is worth anything if an attacker can implant himself between the client and the server. With a completely legitimate and trusted certificate, the attack is perfect. No warning and no error."

Nigg got the idea of asking for a certificate in the name of Mozilla after obtaining another certificate from the same reseller in the name of his own firm, Startcom, in order to investigate a separate fraudulent reminder email problem.

Comodo revoked the offending certificate after Nigg posted his findings on the mozilla.dev.tech.crypto mailing list and in a blog posting, with screenshots, here. An incident report on the issue has been filed with Mozilla.

In a statement, Comodo said that it had suspended the reseller involved in the incident as part of a wider investigation.

The certificates were obtained by a competing Certificate Authority (“CA”) attempting to demonstrate a perceived vulnerability in one of our Registration Agent’s (“RA”) systems and procedures. In this isolated incident the certificates were issued as a result of the RA’s automatic DV mechanism being bypassed by an accident on their part. Fortunately the CA did not intend to and did not use the certificates in a commercial setting. As soon as Comodo discovered the error with the certificate, the certificate was revoked and the RA’s account with Comodo was suspended eliminating any chance that the mistake could be repeated. Comodo immediately launched an internal investigation to find the cause of the mis-issued certificate.

The mis-issued certificates are anomalies. Comodo and its partners issue thousands of correctly validated certificates each month. The RA’s account will remain suspended until Comodo is satisfied that the certificates issued were the result of unintentional errors made by the RA and that any vulnerability in the RA’s systems and procedures has been eliminated.

Possible shortcomings with low-assurance certificates are well known and are the reason vendors offer more expensive extended validation certificates, where checks on a users' bona-fides are made. That low-assurance certs might be issued without any checks whatsoever does however come as something of an eye opener.

Comodo said that it was pushing for minimum standards for domain validation (DV) certificates.

The problem illustrated in this unfortunate event highlights the vulnerability inherent with DV certificates. All DV certificates are theoretically susceptible to this man in the middle (MITM) exploitation. While the CAB Forum, which was founded by Comodo, has established guidelines for highly validated Extended Validation (“EV”) Certificates, no minimum standard has been adopted. Earlier this month at the CAB Forum’s most recent meeting, Comodo put forward a minimum standard for all SSL certificates which, if adopted, would eliminate this MITM attack. DV certificates' susceptibility to MITM attacks is well known. Minimum standards are well overdue.

®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.