Feeds

CA issues no-questions asked Mozilla cert

Snafu highlights wider trust problem

Seven Steps to Software Security

Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks.

MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation. The approach might be used, for example, to trick a user into handing over online banking login credentials in the mistaken belief that they are talking directly to a financial institution.

Normally untrusted certificates from an unknown issuer are used by fraudster sites in these kind of scenarios. This would generate error messages or warnings that flag up possible problems, at least to the more internet-savvy.

These types of warnings disappear if miscreants add a legitimately-issued certificate into the mix.

You might think security credential firms would be wise to this kind of ruse and in most cases they probably are but security blogger Eddy Nigg discovered that he was able to get a low-assurance digital certificate for Mozilla.com. The certificate was issued by a reseller of digital certificate firm Comodo. Nigg was shocked that the approach was successful.

"Five minutes later I was in the possession of a legitimate certificate issued to mozilla.com - no questions asked - no verification checks done - no control validation - no subscriber agreement presented, nothing," he writes.

"With the understanding about MITM attacks, the severity of this practice is obvious. No encryption is worth anything if an attacker can implant himself between the client and the server. With a completely legitimate and trusted certificate, the attack is perfect. No warning and no error."

Nigg got the idea of asking for a certificate in the name of Mozilla after obtaining another certificate from the same reseller in the name of his own firm, Startcom, in order to investigate a separate fraudulent reminder email problem.

Comodo revoked the offending certificate after Nigg posted his findings on the mozilla.dev.tech.crypto mailing list and in a blog posting, with screenshots, here. An incident report on the issue has been filed with Mozilla.

In a statement, Comodo said that it had suspended the reseller involved in the incident as part of a wider investigation.

The certificates were obtained by a competing Certificate Authority (“CA”) attempting to demonstrate a perceived vulnerability in one of our Registration Agent’s (“RA”) systems and procedures. In this isolated incident the certificates were issued as a result of the RA’s automatic DV mechanism being bypassed by an accident on their part. Fortunately the CA did not intend to and did not use the certificates in a commercial setting. As soon as Comodo discovered the error with the certificate, the certificate was revoked and the RA’s account with Comodo was suspended eliminating any chance that the mistake could be repeated. Comodo immediately launched an internal investigation to find the cause of the mis-issued certificate.

The mis-issued certificates are anomalies. Comodo and its partners issue thousands of correctly validated certificates each month. The RA’s account will remain suspended until Comodo is satisfied that the certificates issued were the result of unintentional errors made by the RA and that any vulnerability in the RA’s systems and procedures has been eliminated.

Possible shortcomings with low-assurance certificates are well known and are the reason vendors offer more expensive extended validation certificates, where checks on a users' bona-fides are made. That low-assurance certs might be issued without any checks whatsoever does however come as something of an eye opener.

Comodo said that it was pushing for minimum standards for domain validation (DV) certificates.

The problem illustrated in this unfortunate event highlights the vulnerability inherent with DV certificates. All DV certificates are theoretically susceptible to this man in the middle (MITM) exploitation. While the CAB Forum, which was founded by Comodo, has established guidelines for highly validated Extended Validation (“EV”) Certificates, no minimum standard has been adopted. Earlier this month at the CAB Forum’s most recent meeting, Comodo put forward a minimum standard for all SSL certificates which, if adopted, would eliminate this MITM attack. DV certificates' susceptibility to MITM attacks is well known. Minimum standards are well overdue.

®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.