Nine valid but fraudulent certificates have been issued for major Internet sites, including Google mail, Microsoft Live and Yahoo, raising the possibility of undetectable phishing, man-in-the-middle and drive-by download attacks, multiple advisories stated.
The secure sockets layer (SSL) certificates, issued by root certificate authority Comodo, allow the attackers to sign fraudulent sites and content. The certificates were issued because of a compromise at a registration authority (RA) using stolen log-in credentials for one of Comodo's European partners, according to the company's report on the incident.
"The attacker was still using the account when the breach was identified and the account suspended," the company stated. "The attacker may have intended to target additional domains had they had the opportunity."
The nine certificates for seven web properties include login.live.com, mail.google.com, www.google.com, three for login.yahoo.com, login.skype.com, addons.mozilla.org and one for a global Trustee, according to Microsoft's advisory on the incident. Microsoft has issued an update for Internet Explorer to mitigate the threat.
To actually use the valid certificates to compromise computers, the attackers would have to find a way to redirect users to fraudulent sites, which would appear legitimate because of the certificates. Typically, that means the that the users would have control of some part of the domain name system (DNS) infrastructure, says Melih Abdulhayoglu, CEO of Comodo. Given that the attacks came from an address in Iran and the sophisticated nature of the attacks, Abdulhayoglu believes that the nation's government may be responsible.
"At the moment, all the indications that we are having are pointing to Iran," Abdulhayoglu says. "Whether it is someone proxying through Iran or the Iranian government themselves, I cannot say."
The company revoked the certificates through three mechanisms. The older Certificate Revocation List (CRL), the near real-time Online Certificate Status Protocol (OCSP) and the company worked with browser providers to come up with blacklists that can be provided as an update to browsers.
For most companies, the attack will be a non-event, since the browser updates will render the certificates invalid. However, it could have been serious, says Brian Trzupek, vice president of managed identity for security firm Trustwave.
"In this specific case, the attacker had the domain for the Mozilla Firefox add-on update server," Trzupek wrote in a statement. "This could allow the attacker to inject any arbitrary code they desire into the web browser, in a trusted manner."