SSL

US-CERT, Microsoft, Mozilla, Google, Comodo and many bloggers have recently reported the issuance of fraudulent SSL certificates for the following domains:

• mail.google.com
• www.google.com
• login.live.com
• addons.mozilla.org
• login.skype.com
• login.yahoo.com
• global trustee

The certificates were issued by Comodo after one of their Registration Authority (RA) accounts was compromised. The mis-issuance was detected promptly, the certificates were revoked and notification was provided to the organizations affected, as well as the browser manufacturers.

The fraudulent SSL certificates could be used to spoof websites, perform phishing attacks or perform man-in-the-middle attacks against all browser users. As such, the major browsers added the certificates to their blacklists by March 23.

The attack has prompted the industry to take action. The Mozilla Foundation Security Policy discussion forum has been lit up with posts.

This brings a sense of urgency to initiatives that are already in progress. The CA/Browser Forum is currently drafting standards that would be applicable to all CAs that, when implemented, will help prevent similar attacks in the future.  It is expected that their specification will be available for public review in the near future.

Another important initiative is the IETF proposal for Certification Authority Authorization (CAA), which will permit a registered domain holder to restrict certificate issuance to a specific CA through its DNS records.

So, what can end-users and IT personnel do?

• Upgrade browsers as soon as possible
• Ensure certificate revocation checking is enabled in browsers
• Consider removing root certificates that don’t need to be trusted

Tags: CAA, Fraud, SSL

Tweet

This entry was posted on Friday, March 25th, 2011 at 4:29 pm and is filed under Secure Browsing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.