Who knew what, when?
Of the three browser providers, only Microsoft explicitly notified its users of the attack on the SSL system, albeit eight days after the bogus credentials had been issued. The notification came only after Comodo posted limited attack details here, here, and here.
According to Jacob Appelbaum, the Tor volunteer who independently discovered the compromise, disclosure was postponed until Wednesday so that all parties could have time to issue browser updates.
Companies often urge researchers to delay notification of attacks or vulnerability discoveries until there is a fix in place to prevent the disclosure of information that could enable additional people from exploiting the weaknesses. But to exploit these compromised certificates, attackers would already have to have access to their corresponding private keys. The decision by Google, Microsoft, Mozilla and Comodo to keep the world in the dark for eight days comes as a slap in the face to their users.
“The attackers had all they needed,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor. “Knowing which certificates have been compromised gives an immediate step people can take to secure their systems.”
None of the companies would explain why they waited so long to disclose the attack.
Of course, any attacker sophisticated enough to be suspected as a state-sponsored actor is also capable of making the attacks appear to have come from Iran in an attempt to create a false trail. Abdulhayoglu acknowledged the possibility that the attackers weren't affiliated with the government of that country. But he pointed to recent news reports about attacks attributed to Iran and its neighbors on TOR, Facebook users in Tunisia and RSA as support the certification forgeries were state-sponsored campaigns.
“If I was a betting man, I would bet that they're in Iran,” he said of the attackers. “If you look at what's happening in the Middle East and if you look at what happened with Stuxnet last year, I think that was a wake up call to the Iranian government to understand the power of cyber warfare. Now they have attacked Tor. They're on a roll at the moment. They keep attacking.” ®
Comodo declining to name the reseller
means that they themselves must be considered compromised. Worse is that private keys to other-CA signed signing certificates are also compromised. And they're not telling which there either.
Though users of ie and anything else that uses the windows certificate store aren't helped by knowing which certificates are compromised: Removing them yourself just results in the relevant micros~1 processes silently(!) adding them back(!) at the next store access or windows update. It's clearly not up to you who to trust, according to them.
The whole PKI is rife with this sort of silliness, and is why I don't think the whole thing does what it says on the tin. It's merely a way to expensively sell numbers that cause your domain name in the browser bar to turn gold or green or whatever the colour of the week is. And ultimately, that doesn't mean Joe Average User is supposed to understand what it means.
So what's the basic problem with SSL? Well, it's built for function. If it doesn't work, it doesn't work and blocks people from what they want to do, causing popups or errors-within-the-browser-window that mainly serve to annoy, not inform, the end user. CRLs work the same, but have opposite function. When that doesn't work, compromised certificates slip through. A rather insidious hole to abuse.
The exciting crypto part is reasonably well-tested though even things like side-channel attacks aren't to be ruled out. But certificate handling remains the boring, neglected part. It starts with hopelessly convoluted attributes and whatnot that make its encoding, chew toy ASN.1, look sane by comparison. Few people know what any of that even means, nevermind the variations by which various browsers interpret it all. CRLs? Don't work. Meaningful error messages? Say what? You're lucky the browser bar may or may not change colour. Clear paths to recover from compromise? Ha ha!
And the kicker? The very model. Pay some shady company like verisign an exorbitant sum to issue a certificate for a year --meaning compromise will last that long too, worst case-- that is supposed to protect you from, well, those they don't take money from. They're a commercial entitiy. Systemic safety built in right there.
That certificate issuing thing isn't special; just about any SSL implementation can do it. With openssl or mozilla's nss installed (that you get "free" with most mozilla's other software) you have the tools. But if you do you'll just get nagged at by your browser, by comparison unreasonably much nagged at.
The thing that makes CAs special is having a self-signed signing certificate stuffed in the world's certificate databases as "trusted". Go take a look in your browser's certificate store. How many of those "trusted" CAs would you trust? Have you any idea what sort of sites they issue certificates for? Or how they do it? Therefore, do you know what it means, what standards they applied? Have you made informed judgements on whether you wish to trust any of them? Provided you can, which in the case of the micros~1 store you plain can't; in other cases the process is so obscure only PKI geeks bother.
The CA structure behind SSL remains more accidents waiting to happen. I'm surprised it doesn't happen far more often. Then again, crypto nerd Appelbaum only noticed when he actively started to look. Appelbaum's page is quite interesting, and not just because of what he did: Notice how just finding out the compromises is something that has just about everyone not into that have their eyes thoroughly glaze over.
The elephant in the room, though, is the curious silence and covering of the root CA for the compromised RA (USERTRUST), and the large browsers doing exactly the same. Why?
They're commercial entities, so why not apply "free market" on this end, too? Probably because of (perceived) interests with other clients, or even interest in protecting this house of cards, excuse me, valuable security system. Perchance free market doesn't work so well for this. So perhaps we should stop paying CAs or their resellers so much. Maybe time for a different model, and do away with PKI and its associated commercial circus, no?
anyone skilled enough to break into remote computers is certainly more than capable of masking his actual ip (and make it look like the attack originated pretty much anywhere in the world).
smells of anti-iran propaganda and smear campaign as usual but dumb masses are easy to fool
Are they sure its from Iran...
...and not someone using a proxy server to bounce off to make it look like its from another country?