Fraudulent SSL Certificates

March 25, 2011 by Bruce Morton     2 Comments

US-CERT, Microsoft, Mozilla, Google, Comodo and many bloggers have recently reported the issuance of fraudulent SSL certificates for the following domains:

  • mail.google.com
  • www.google.com
  • login.live.com
  • addons.mozilla.org
  • login.skype.com
  • login.yahoo.com
  • global trustee

The certificates were issued by Comodo after one of their Registration Authority (RA) accounts was compromised. The mis-issuance was detected promptly, the certificates were revoked and notification was provided to the organizations affected, as well as the browser manufacturers.

The fraudulent SSL certificates could be used to spoof websites, perform phishing attacks or perform man-in-the-middle attacks against all browser users. As such, the major browsers added the certificates to their blacklists by March 23.

The attack has prompted the industry to take action. The Mozilla Foundation Security Policy discussion forum has been lit up with posts.

This brings a sense of urgency to initiatives that are already in progress. The CA/Browser Forum is currently drafting standards that would be applicable to all CAs that, when implemented, will help prevent similar attacks in the future.  It is expected that their specification will be available for public review in the near future.

Another important initiative is the IETF proposal for Certification Authority Authorization (CAA), which will permit a registered domain holder to restrict certificate issuance to a specific CA through its DNS records.

So, what can end-users and IT personnel do?

  • Upgrade browsers as soon as possible
  • Ensure certificate revocation checking is enabled in browsers
  • Consider removing root certificates that don’t need to be trusted
Filed Under:
Tagged With:

About

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

2 thoughts on “Fraudulent SSL Certificates

  1. Pingback: BEAST: Attacking SSL/TLS « SSL Blog - Entrust Insights

  2. Pingback: SSL Certificate Baseline Requirements 1.0 « SSL Blog - Entrust Insights

Add to the Conversation