14 DAY TRIAL // An attacker has managed to obtain nine SSL certificates for high-value domains from Comodo, prompting Chrome and Firefox to release updates to blacklist them.
The incident was the result of a compromise at a Comodo affiliate registration authority (RA) in Southern Europe which resulted in hackers stealing its username and password.
Rogue certificates were requested for mail.google.com, www.google.com, login.yahoo.com (multiple ones), login.skype.com, addons.mozilla.org, login.live.com and a global trustee.
One certificate for login.yahoo.com has already been seen in the wild being associated with a server in Iran. Soon after it was revoked by Comodo, the server stopped working.
The fact that the main IP used in the attack was also from Iran makes Comodo believe that this was likely a state-driven attack intended for surveillance.
Rogue SSL certificates can only be abused if attackers have complete control over the DNS infrastructure used by their intended victims.
This is particularly true for governments that control perimeter gateways for entire countries, like Iran or Tunisia, where former president's Ben Ali regime abused the power to perform mass phishing attacks targeting Gmail, Yahoo!, Facebook and other services.
"We immediately got in touch with the principal browsers and domain owners and alerted them to what had happened. There was a coordinated effort for a responsible disclosure," says Comodo in its incident report.
Google was the first to react by pushing out a Chrome update that blacklisted the certificates last Thursday. Mozilla followed this week together with a post on its security blog.
American hacker and privacy activist Jacob Appelbaum, aka ioerror, has investigated the incident since before becoming public, however, he withheld the results in the interest of responsible disclosure. The details of his research are now available on the TOR Project's blog.