Comodo attack highlights
issues in SSL certificate security
REVIEW: In the wake of the recent Comodo incident, the focus has been on
fixing the public key infrastructure, whether it' s on the DNS or browser level.
By Fahmida Rashid
In the aftermath of the recent Comodo attack, the consensus appears to be that a portion of the Internet infrastructure is
broken. The difficulty is in agreeing
on WHERE it's broken.
Shortly after a lone perpetrator
compromised Comodo Security' s
partners and received nine SSL certificates for some very popular sites,
Comodo Security CEO
Melih Abdulhayoglu said
the incident would have
been a ª non-incidentº
if the underlying DNS
(Domain Name System)
infrastructure had been
secure. Others argued
that it was important
for browsers to be more
proactive about checking
certificates.
Comodo detected the
fraudulent certificates for
Microsoft, Google, Yahoo, Mozilla
and Skype as they were issued and
revoked them immediately, the company disclosed on March 23. There
appear to have been no attempts to
use the certificates.
The Domain Name System translates the numeric IP addresses into
text-based domain names, allowing
users to surf the Web without knowing the server' s exact address. The
DNS records are maintained by the
Internet service provider, and there' s
nothing that indicates who is authorized to secure the site.
Major Web browsers also enable
Online Certificate Status Protocol to
automatically block certificates, but
it is not automatically enabled in
Safari. If the fraudulent certificates
had been used, Safari users would
have been vulnerable.
Comodo' s proposal won' t fix all
the problems, James Lyne, director
of technology strategy at Sophos,
told eWEEK. DNS records can be
faked, and not everyone will buy
expensive certificates from Comodo
and VeriSign. They may decide to
self-sign their certificates or pursue
a low-cost alternative, which means
that browsers would be back to having to trust certificates from several
hundred sources.
ª The way the CA [certification
authority] system is designed is not
how it was originally designed,º
Lyne said. The system was supposed to be more hierarchical with
only a few organizations trusted to
sign certificates.
Browser developers need to be
more proactive about stopping
users from getting to sites with
expired or improper certificates,
instead of letting them bypass the
warnings, Lyne said. Once organizations realize that customers can' t
reach their sites because they haven' t
been maintaining their security certificates, they will quickly clean up
their act, he added. «
Philip Hallam-Baker, Comodo
vice president, presented a proposal
at the 80th meeting of the Internet
Engineering Task Force in Prague
on April 4 to create a new Resource
Record in the domain's DNS record.
Co-authored by Comodo and Google,
the record would identify which
certification authority can issue
certificates for that domain.
This proposal would place the control of the domain back
in the domain owners'
hands, where it belongs,
said Abdulhayoglu.
ª There is no security in
DNS,º he said, noting
that the vulnerabilities
are well-known. There
have been increased
attacks on the DNS infrastructure, as it is a ª rich
ground to feed,º he said.
The way the system is
currently implemented,
Google Chrome and Mozilla Firefox
had completely different CRLs (
Certificate Revocation Lists) for a few days
between when the attack was detected
and when it was disclosed. While
Microsoft, Google and Mozilla quickly
pushed out CRL updates to block the
Comodo certificates, Apple doesn' t use
CRL for its Safari Web browser.
For more articles on this
topic, go to EWEEK.COM.
James Lyne,
Sophos
