SSL meltdown: a cyber war attack?
Comodo has released further information on the intrusion into its Certificate Authority (CA) that enabled unknown attackers to obtain SSL certificates for existing web sites. The domains include login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and an unspecified "global trustee".
According to the company's investigations, the intrusion was carried out via the account of a reseller whose task is to check "Certificate Signing Requests" (CSRs) and then pass these requests on to Comodo's systems. A CSR is a request for a CA to sign a public key and is, nowadays, submitted via a web interface. The intruders apparently obtained the reseller's access credentials; Comodo didn't provide any further details about the reseller. However, the reseller is said to be located in Southern Europe, which leaves a lot of room for speculation.
The unknown perpetrators, whose tracks lead to Tehran, used these credentials to log in and create nine CSRs, three of which were for login.yahoo.com alone. However, Comodo says that it is impossible to verify whether the intruders were actually granted all the certificates they requested. The CA has only confirmed that a certificate for login.yahoo.com had already been used on the internet.
Comodo also says that the intrusion was detected within hours, and the certificates were revoked immediately. Browsers can use Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP) to check whether a certificate has been revoked. However, as this isn't always reliable, Comodo contacted the browser owners so they can enter the certificates' serial numbers in a static blacklist. Google and Mozilla had already responded, and Microsoft released an appropriate update for Internet Explorer on Wednesday 23 March.
According to Comodo, the monitoring of OCSP responder traffic has not detected any attempted use of these certificates, although this doesn't hold much significance given the possibility that OCSP can be blocked. The authority emphasised that none of Comodo's systems were compromised at any time, and that no private keys were read from the Hardware Security Modules (HSMs).
Highly interesting are the conclusions Comodo has drawn from the incident: that the circumstantial evidence suggests that the Iranian government carried out the attacks, probably in order to spy on the communication infrastructure of members of the opposition. The CA said that the government controls the DNS, which is reportedly required for these attacks to be possible in the first place, and that the incident mainly targeted servers hosting email and VoIP services as well as social networking sites.