Comodo Attack Sparks SSL Certificate Security Discussions
The recent disclosure about an attack on a Comodo affiliate registration authority has opened a wider conversation about Internet security and SSL certificates.
Wednesday, Comodo revealed a revealed a registration authority had been compromised in a March 15 attack and that the username and password of a Comodo Trusted Partner in Southern Europe were stolen.
Using those credentials, the attacker was able to request nine digital certificates across seven domains, including: login.yahoo.com, mail.google.com, login.skype.com and addons.mozilla.org. According to Comodo, the situation was discovered within hours of the attack and all nine certificates were revoked -- only one of which the company said was seen being used.
The company believes the attack -- which it traced to two IP addresses assigned to an Iranian Internet Service Provider (ISP) -- may have been an effort by the Iranian government to spy on dissidents using Gmail, Skype and other services. But in addition to opening discussions of possible government spying, the situation also has turned a spotlight on one of the basic issues of the Internet -- proper authentication. ’There really has never been an ’SSL trust chain,''' explained Gartner John Pescatore. ’SSL in practice only provides transport encryption -- it does not provide any meaningful authentication of the user and only minimal authentication of the server. It has always been way overhyped by the ecommerce world to try to overcome fears in online commerce.’
Security researcher Moxie Marlinspike, who has been well-publicized for his research on attacking SSL, told CRN the existing certificate revocation process ’is not viable.’ Certificate authorities [CAs] can’t seem to provide a reliable OCSP [Online Certificate Status Protocol] service, so most OCSP implementations fail, he wrote in an e-mail.
’Two years ago I demonstrated an OCSP bypass using my tool sslsniff, and it still hasn't been fixed,’ he wrote. ’If these attackers have forged certificates, the standard revocation mechanisms aren't going to stop them, which is why the browser vendors had to hardcode the serials into the new browsers they're shipping.’
The anomaly here isn't that this happened, he added, it's that anyone noticed.
’CAs, particularly resellers, have a reputation for terrible validation systems, and getting forged certificates is a pretty low bar,’ he argued. ’A few years ago, Mike Zusman was able to obtain a certificate for login.live.com (one of the certs obtained in this attack) simply by asking for it. I think it's fair to assume that this sort of thing is happening all the time.’
Next: Browser Weaknesses
The revocation failure is mostly on the browser side, opined Pescatore.
’Browsers generally either don’t check revocation, or only check it on publisher (vs. server) certificates,’ he noted. ’Even when it is turned on, some browsers interpret a lack of response as ’the certificate is OK.’ Plus, there has been absolutely no investment in public education by the CA/Browser forum so that normal human beings would even know what to do even if their browser did say ’The certificate for this site has been revoked. Do you want to proceed?’’
Comodo CEO Melih Abdulhayoglu said the company contacted browser vendors so they could patch after the situation was discovered. Microsoft, Google and Mozilla all issued updates in response to the situation. Still, security researcher Jacob Appelbaum argued in a blog post that Comodo should not have waited eight days before disclosing the attack to the public.
’The browsers have dropped the ball and they have chosen to fail open in nearly every single case; an attacker who is able to MITM (man-in-the-middle) SSL/TLS will also MITM the OCSP/CRL requests…Browsers should give insecure CA keys an Internet Death Sentence rather than expose the users of the browsers to known problems,’ he blogged.
Comodo’s CEO defended the company’s approach to disclosure, telling CRN there was no point of announcing the situation to the general public before the browser vendors fixed the issue.
’The attack model here points to people trying to control at the DNS [Domain Name System] level…taking a certificate for Google and putting [it] to a different Website isn’t going to work,’ Abdulhayoglu said. ’This is why you need to have access to DNS infrastructure. So those certificates, without the ability to have access to DNS infrastructure (are) totally useless.’
Last year, Comodo proposed the idea of establishing a body called the certification authority authorization [CAA] to help CAs fight certificate fraud.
’If that standard was deployed, this attack would be useless,’ he explained. ’The bigger problem that we’re facing is the untrusted and unsecure nature of the DNS infrastructure,’ he added. ’If DNS was trusted and secure, what could these certificates do? Nothing.’