By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services
When boiled down to their most basic function, digital certificates are all about trust. And that trust recently was shattered. According to reports, nine valid but fraudulent certificates have been issued for major Internet sites — including Google mail, Microsoft Live and Yahoo — raising the possibility of undetectable phishing, man-in-the-middle and drive-by download.
Issued by Comodo, an anti-virus firewall software and certification provider, the secure sockets layer (SSL) certificates allow attackers to sign fraudulent sites and content. They were issued as a result of a compromise at a registration authority (RA) using stolen log-in credentials for one of Comodo’s European partners, according to the company’s report on the incident.
This is why it matters… certificates are representative of a trust chain. Assume I’m a certificate authority and provide you with an SSL certificate for online security to your website. People who accept that certificate trust you because they trust me. Yes, it’s just that simple. If you don’t believe me, open your browser and look at all the “trusted” certificate authorities installed by default… that’s how you buy stuff on Amazon.
These top-level certificate authorities must be very secure, because they literally hold the keys to the kingdom. With the issuance of the nine valid, but fraudulent, certificates on such trusted sites, you have a serious breach. The certificates were revoked and all the other stuff you do in an attempt to render them useless — but that’s an oversimplification.
Microsoft has provided information and issued an update to IE. But if your system isn’t configured (and many are not) to check the certificate revocation list (CRL) or to utilize the Online Certificate Status Protocol (OCSP) employed to check certificate status upon use, as far as your system is concerned, it is game over.