Helping people with computers... one answer at a time.
Fraudulent web site certificates were apparently issued to individuals that should not have been able to get them. The result is a vulnerability in https.
A few days ago, Comodo apparently issued nine certificates used for https on behalf of a third party without properly making sure that the person requesting the certificate was indeed the person authorized to do so for that domain.
Put another way, someone in Iran can apparently set up an https connection that could work and fool your browser into thinking it was validly connecting to httpS://www.google.com and nine other sites, when in fact it was not.
I'll explain how certificates work to confirm you're connecting to who you think you are, what happened here, and what you need to do to stay safe.
When you visit a site using https, two things happen:
Your browser verifies that you are connected to the site that you think you are.
The data you then pass back and forth with that site is encrypted.
This issue is all about the first item: hacking the system so that you might think you're connected securely to one site when in fact, you're connected to some hackers site instead.
I'll use my own secure domain as an example:
Clicking on the lock icon in the address bar give this pop-up window:
Indicating that Go Daddy has issued a certificate to this site identifying it as secure.pugetsoundsoftware.com.
Click on View Certificates to see more information:
What this means is that when purchasing the certificate to be used to secure an https connection to secure.pugetsoundsoftware.com, I had to verify to Go Daddy, the company from which I purchased the certificate, that I was the rightful owner of that domain and had the authority to represent myself as that domain. Only then was the certificate issued for my use.
When your browser visits https://secure.pugetsoundsoftware.com, it fetches my certificate and validates that it's been properly digitally signed by Go Daddy.
It's able to do that because as part of what are called the "root certificates" that are kept by Windows itself is another certificate, this one for Go Daddy. By verifying my certificate for secure.pugetsoundsoftware.com with the 'official' certificate from Go Daddy, the browser can certify that the site that it's visiting is indeed the site to whom Go Daddy issued the certificate, and by extension, the very site that it claims to be.
It's all about trust - Go Daddy trusts me, and Windows trusts Go Daddy.
There are many certificate authorities other than Go Daddy - that just happens to be the one I used.
And that's also where things get interesting.
A different certificate authority, Comodo, the same folks who make a firewall and anti-malware tools, apparently had a lapse in their validation process for issuing certificates.
Someone (who appears to be from Iran from what I've heard) was able to purchase certificates from Comodo that would validate for domains like login.live.com, mail.google.com, www.google.com, login.yahoo.com and several others.
What that means is that they could set up servers that could provide https connections that would validate as those domains, even though they were not those domains at all, but rather phishing sites.
You would think that you were securely connected to mail.google.com - trusting in the https to validate the authenticity of that server - when, in fact, you were not.
Comodo trusted someone they shouldn't have.
As it turns out, probably not too much.
The certificate system has built into it the ability for a certificate issuer to "revoke" an issued certificate. Web browsers that properly play by the rules will check first to see if a certificate has been revoked and refuse to use it if it has. Needless to say, Comodo has revoked those certificates.
Microsoft has also provided an update to, as they put it, "help address this issue". To quote their page on the issue, "we have [...] developed an update that will help to protect customers by ensuring that these nine fraudulent certificates are always treated as untrusted." Basically, the certificates are pre-loaded into a kind of certificate "black list" on your machine.
If you have automatic updates enabled, you'll get that update.
If you don't have automatic updates enabled, you can take the additional step of installing the update yourself.
You can read more about this event, including the full list of domains affected and the link to the update at Microsoft Security Advisory (2524375) - Fraudulent Digital Certificates Could Allow Spoofing.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.