Helping people with computers... one answer at a time.

Fraudulent web site certificates were apparently issued to individuals that should not have been able to get them. The result is a vulnerability in https.

A few days ago, Comodo apparently issued nine certificates used for https on behalf of a third party without properly making sure that the person requesting the certificate was indeed the person authorized to do so for that domain.

Put another way, someone in Iran can apparently set up an https connection that could work and fool your browser into thinking it was validly connecting to httpS://www.google.com and nine other sites, when in fact it was not.

I'll explain how certificates work to confirm you're connecting to who you think you are, what happened here, and what you need to do to stay safe.

HTTPS

When you visit a site using https, two things happen:

  • Your browser verifies that you are connected to the site that you think you are.

  • The data you then pass back and forth with that site is encrypted.

This issue is all about the first item: hacking the system so that you might think you're connected securely to one site when in fact, you're connected to some hackers site instead.

It's All About Trust

I'll use my own secure domain as an example:

IE 9 open on https://secure.pugetsoundsoftware.com

Clicking on the lock icon in the address bar give this pop-up window:

Website Identification

Indicating that Go Daddy has issued a certificate to this site identifying it as secure.pugetsoundsoftware.com.

Click on View Certificates to see more information:

Website Certificate

What this means is that when purchasing the certificate to be used to secure an https connection to secure.pugetsoundsoftware.com, I had to verify to Go Daddy, the company from which I purchased the certificate, that I was the rightful owner of that domain and had the authority to represent myself as that domain. Only then was the certificate issued for my use.

When your browser visits https://secure.pugetsoundsoftware.com, it fetches my certificate and validates that it's been properly digitally signed by Go Daddy.

It's able to do that because as part of what are called the "root certificates" that are kept by Windows itself is another certificate, this one for Go Daddy. By verifying my certificate for secure.pugetsoundsoftware.com with the 'official' certificate from Go Daddy, the browser can certify that the site that it's visiting is indeed the site to whom Go Daddy issued the certificate, and by extension, the very site that it claims to be.

It's all about trust - Go Daddy trusts me, and Windows trusts Go Daddy.

There are many certificate authorities other than Go Daddy - that just happens to be the one I used.

And that's also where things get interesting.

How the System Was Breached

A different certificate authority, Comodo, the same folks who make a firewall and anti-malware tools, apparently had a lapse in their validation process for issuing certificates.

Someone (who appears to be from Iran from what I've heard) was able to purchase certificates from Comodo that would validate for domains like login.live.com, mail.google.com, www.google.com, login.yahoo.com and several others.

What that means is that they could set up servers that could provide https connections that would validate as those domains, even though they were not those domains at all, but rather phishing sites.

You would think that you were securely connected to mail.google.com - trusting in the https to validate the authenticity of that server - when, in fact, you were not.

Comodo trusted someone they shouldn't have.

Scary stuff.

What You Need To Do

As it turns out, probably not too much.

The certificate system has built into it the ability for a certificate issuer to "revoke" an issued certificate. Web browsers that properly play by the rules will check first to see if a certificate has been revoked and refuse to use it if it has. Needless to say, Comodo has revoked those certificates.

Microsoft has also provided an update to, as they put it, "help address this issue". To quote their page on the issue, "we have [...] developed an update that will help to protect customers by ensuring that these nine fraudulent certificates are always treated as untrusted." Basically, the certificates are pre-loaded into a kind of certificate "black list" on your machine.

If you have automatic updates enabled, you'll get that update.

If you don't have automatic updates enabled, you can take the additional step of installing the update yourself.

You can read more about this event, including the full list of domains affected and the link to the update at Microsoft Security Advisory (2524375) - Fraudulent Digital Certificates Could Allow Spoofing.

Article C4774 - March 23, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
Don Bell
March 24, 2011 6:35 AM

Thank you Leo! I have went to Microsoft and have attached the patch. Keep up the great work that you do!!

Michael M
March 24, 2011 12:51 PM

I'm surprised to see all that I have been finding out so far on answers with out the run around. I just experanced all that I have just read. Just yesterday, I noticed an update from microsoft indacating some unatherized certifacats have been issued but were missing some info in idenity. (something like that# today, I ran into a phishing email but took it upon myself to report it. At this point, well just to find the full figure of it, downloaded the attachment #which I should not have done# and proceed on following the link. I knew it was a fals web site of paypal. I just happen to call them right away just incase a low end user not knowing what they would be getting into fall for this scam.
But from doing this, now I feel like I have alkinds of maintinance problems. I'm on safe mode right now making aure there is no viruses nor any thing it may have caught. I've heard when downloading something in paticular that may have a virus but don't show it self to be one can activate at a latter time. I have no Idea. But what I noticed is my antivirus is seeing everything to be safe.
What got me to look in this helpful site of yours. Is the information upon the service #scvhost.exe) running up my CPU. this started happening after me playing superman. lol. I've noticed my curser slowing down as I was draging it while it was laging to move accross the screen. I took action right away. I'm not all to famaler with viruses and what they do or where they Hide out. When looking into to see what I can learn from it, I just get a big headake looking at all the abrviations.
I'm glad I foind this site, Oh and some popup messages were asking for me to suscribe but had no idea it was a live user. I closed them out. not to be rude or nothing but I was just in a hurry to find what I was looking for. This site really helps.
You guys into Adobe cs5 with tips? Hope to find out. Just got the software and can't wait to learn the software. Pretty exiting, posible carer change. LOL
Sorry for the typoos , hope you know typonees.
Regards,
Michale M

from Tokyo
March 30, 2011 7:03 AM

I don't use Internet Explorer but FireFox. Do I need to do something?

Jeff
March 31, 2011 9:36 AM

Hi. It sounds like secure HTTP is pointless unless the user actually checks each certificate to see that he (or she) is on the correct site for every page. I will not do that - not that I don't want, it's just too cumbersome.

But since the browser can see the certificate, is there some way to set the browser to only allow me to do banking if the certificate checks out as being from my bank?

IOW, I go to my bank's website and make absolutely sure I'm at the correct site, and get the bank's certificate. I import that into my browser, and then the browser would prevent me from banking at a phishing site that looks like my bank.

By and large https is safe. There are extensions available for FireFox I believe that will do that extra level of check you're looking for but I've never felt the need to use them.

Leo
31-Mar-2011
Harish Dobhal
April 8, 2011 5:12 AM

This is somewhat confusing, I thought phishers use a 'similar' domain name and can not use the same domain name they try to fake. For example, they would use something like "www.gooogle.com" as "www.google.com" can not be used unless hacked, whether its secure or not.
Please throw some light on it.

There are techniques where a hacker can, indeed, re-route "google.com" to a server of their own choosing. The most common are viruses that install a bogus "hosts" file on your PC. That, then, with a fraudulent certificate could allow them to impersonate an https connection to what you see as the correct domain name.
Leo
10-Apr-2011

Harish Dobhal
April 11, 2011 12:35 AM

This is an eye opener! I used to think if the domain name itself is correct then we are safe and if its with https then there is no need to worry. This information certainly opened my eyes. Thanks a ton.
However, I still can't understand why my bank does not tell about this possibility. Anyways, I am going to be much more careful now...

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.