Sophos: Microsoft Warns of fraudulent certificates: is it time to rethink who we trust?
March 2011 by Sophos
Comodo warns Microsoft that certificates may be used to spoof content from popular web sites. Microsoft yesterday issued a Security Advisory warning that fraudulent digital certificates were issued by the Comodo Certificate Authority. This could allow malicious spoofing of high profile websites, including Google, Yahoo and Windows Live.
Comodo is a trusted root authority on all default Windows and OS X installations. IT security and control firm Sophos warns that this means an attacker could easily masquerade a malicious web site to appear as a known, trusted site to consumers. According to the advisory from Microsoft, nine certificates were fraudulently issued by Comodo for the following web sites:
• login.yahoo.com (3 certificates)
• "Global Trustee"
According to Comodo, an account used for the approval of certificate requests was compromised within one of their trusted partners. While Comodo’s incident report claims that only one yahoo.com certificate was seen live on the Internet, it’s important that consumers are aware of the possibility that additional certificates could be issued.
"Comodo’s unfortunate security breach puts many consumers at risk, having opened the door for common and popular web sites visited by billions of people every day to have been spoofed," said Fraser Howard, principle threat researcher at Sophos. "Users on all platforms should ensure that they’ve got up-to-date certificate revocation data and appropriate browser settings. From a more long term perspective, let’s hope this incident makes industry players audit, not only their own security systems and policies, but those of their trusted partners as well to protect browsers in the future. "
Sophos recommends the following prevention measures:
Enable CRL / OCSP in your browsers
Neither IE8 nor Firefox certificate options are set to safe defaults on a fresh installation. Both browsers fall short supporting SSL certificate revocation - IE8 being off by default and Firefox only having OCSP enabled.
Microsoft’s advisory can be read here: http://www.microsoft.com/technet/se...