davidh
April 1st, 2011, 02:22 AM
Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran
By Kim Zetter Email Author
March 23, 2011 |
5:37 pm |
Categories: Cybersecurity, Hacks and Cracks
In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.
The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.
... ...
"If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [B]the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”
http://www.wired.com/threatlevel/2011/03/comodo-compromise/
Certificates and web site security
The most common use of certificates is for HTTPS-based web sites. A web browser validates that an SSL (Transport Layer Security) web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that the web site is who it claims to be. This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate provider (a CA that presents as a commercial retailer of certificates) with a certificate signing request. The certificate request is an electronic document that contains the web site name, contact email address, and company information. The certificate provider signs the request, thus producing a public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.
Before issuing a certificate, the certificate provider will request the contact email address for the web site from a public domain name registrar, and check that published address against the email address supplied in the certificate request. Therefore, an https web site is only secure to the extent that the end user can be sure that the web site is operated by someone in contact with the person who registered the domain name.
As an example, when a user connects to https://www.example.com/ with his browser, if the browser gives no certificate warning message, then the user can be theoretically sure that interacting with https://www.example.com/ is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.
http://en.wikipedia.org/wiki/Public_key_certificate#Certificates_and_web_site_s ecurity Hoping this will be interesting reading for those so inclined :D
By Kim Zetter Email Author
March 23, 2011 |
5:37 pm |
Categories: Cybersecurity, Hacks and Cracks
In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.
The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.
... ...
"If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [B]the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”
http://www.wired.com/threatlevel/2011/03/comodo-compromise/
Certificates and web site security
The most common use of certificates is for HTTPS-based web sites. A web browser validates that an SSL (Transport Layer Security) web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that the web site is who it claims to be. This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate provider (a CA that presents as a commercial retailer of certificates) with a certificate signing request. The certificate request is an electronic document that contains the web site name, contact email address, and company information. The certificate provider signs the request, thus producing a public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.
Before issuing a certificate, the certificate provider will request the contact email address for the web site from a public domain name registrar, and check that published address against the email address supplied in the certificate request. Therefore, an https web site is only secure to the extent that the end user can be sure that the web site is operated by someone in contact with the person who registered the domain name.
As an example, when a user connects to https://www.example.com/ with his browser, if the browser gives no certificate warning message, then the user can be theoretically sure that interacting with https://www.example.com/ is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.
http://en.wikipedia.org/wiki/Public_key_certificate#Certificates_and_web_site_s ecurity Hoping this will be interesting reading for those so inclined :D