Wednesday, March 23, 2011

Microsoft Advisory about fraudulent SSL Certificates

Published: 2011-03-23,
Last Updated: 2011-03-23 18:05:29 UTC
by Johannes Ullrich (Version: 3)
Rate this diary:
2 comment(s)
Update: Looks like the update is marked important, but will not install automatically. You may have to run Windows Update to install it.
Update 2: And Comodo just published an advisory: http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ also not that this is still the same issue we talked about this morning with respect to Firefox 4.

Microsoft just released an advisory [1] alerting its customers that a total of 9 certificates where issued using the leaked/stolen CA certificated from Comodo.
The affected domains are according to Microsoft:
login.live.com
mail.google.com
www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org (already known from an earlier announcement by Mozilla)
"Global Trustee"
The advisory states that Comodo has revoked these certificates and listed them in its revocation list. Microsoft also is releasing an update that will blacklist these certificates.
Of course, this issue is "serious", not just considering the household brand names affected. Probably even worse then the possible man in the middle attacks that may have happened is the simple fact that this fundamentally breaks the trust model of SSL. SSL is using a "trust pyramid", A few certificate authorities are trusted to issue certificates to entities they trust. Of course this trust should be based on some kind of verification and the ability to secure the private key that goes with the root certificates and the signing certificates based on it. This event more and more looks like the trust pyramid was really more a stinking pile of doo . No surprise given the rush to the "no paper work required bargain basement certs". I recently started using free certs from startssl.com just for that reason: At least startssl doesn't charge me for not verifying who I am.

In short: Patch... and hope you will be ok until the next time this happens. It would be nice if Comodo would come forward with details. It was probably the APT Monster that ate it.
[1] http://www.microsoft.com/technet/security/advisory/2524375.mspx
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter