Feeds

CA issues no-questions asked Mozilla cert

Snafu highlights wider trust problem

Secure remote control for conventional and virtual desktops

Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks.

MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation. The approach might be used, for example, to trick a user into handing over online banking login credentials in the mistaken belief that they are talking directly to a financial institution.

Normally untrusted certificates from an unknown issuer are used by fraudster sites in these kind of scenarios. This would generate error messages or warnings that flag up possible problems, at least to the more internet-savvy.

These types of warnings disappear if miscreants add a legitimately-issued certificate into the mix.

You might think security credential firms would be wise to this kind of ruse and in most cases they probably are but security blogger Eddy Nigg discovered that he was able to get a low-assurance digital certificate for Mozilla.com. The certificate was issued by a reseller of digital certificate firm Comodo. Nigg was shocked that the approach was successful.

"Five minutes later I was in the possession of a legitimate certificate issued to mozilla.com - no questions asked - no verification checks done - no control validation - no subscriber agreement presented, nothing," he writes.

"With the understanding about MITM attacks, the severity of this practice is obvious. No encryption is worth anything if an attacker can implant himself between the client and the server. With a completely legitimate and trusted certificate, the attack is perfect. No warning and no error."

Nigg got the idea of asking for a certificate in the name of Mozilla after obtaining another certificate from the same reseller in the name of his own firm, Startcom, in order to investigate a separate fraudulent reminder email problem.

Comodo revoked the offending certificate after Nigg posted his findings on the mozilla.dev.tech.crypto mailing list and in a blog posting, with screenshots, here. An incident report on the issue has been filed with Mozilla.

In a statement, Comodo said that it had suspended the reseller involved in the incident as part of a wider investigation.

The certificates were obtained by a competing Certificate Authority (“CA”) attempting to demonstrate a perceived vulnerability in one of our Registration Agent’s (“RA”) systems and procedures. In this isolated incident the certificates were issued as a result of the RA’s automatic DV mechanism being bypassed by an accident on their part. Fortunately the CA did not intend to and did not use the certificates in a commercial setting. As soon as Comodo discovered the error with the certificate, the certificate was revoked and the RA’s account with Comodo was suspended eliminating any chance that the mistake could be repeated. Comodo immediately launched an internal investigation to find the cause of the mis-issued certificate.

The mis-issued certificates are anomalies. Comodo and its partners issue thousands of correctly validated certificates each month. The RA’s account will remain suspended until Comodo is satisfied that the certificates issued were the result of unintentional errors made by the RA and that any vulnerability in the RA’s systems and procedures has been eliminated.

Possible shortcomings with low-assurance certificates are well known and are the reason vendors offer more expensive extended validation certificates, where checks on a users' bona-fides are made. That low-assurance certs might be issued without any checks whatsoever does however come as something of an eye opener.

Comodo said that it was pushing for minimum standards for domain validation (DV) certificates.

The problem illustrated in this unfortunate event highlights the vulnerability inherent with DV certificates. All DV certificates are theoretically susceptible to this man in the middle (MITM) exploitation. While the CAB Forum, which was founded by Comodo, has established guidelines for highly validated Extended Validation (“EV”) Certificates, no minimum standard has been adopted. Earlier this month at the CAB Forum’s most recent meeting, Comodo put forward a minimum standard for all SSL certificates which, if adopted, would eliminate this MITM attack. DV certificates' susceptibility to MITM attacks is well known. Minimum standards are well overdue.

®

Beginner's guide to SSL certificates

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.