F-Secure’s representatives Mikko Hypponen and Sean Sullivan discuss the present-day issues with code signing and SSL certificates trustworthiness, and get into details of the notorious Comodogate hack.
There are lots security things that we can talk about: well, the RSA hack, a bit earlier the HBGary hack, the Epsilon hack, where they lost all the customer information – lots of things happening right now. But today’s topic is SSL situation with Comodo-gate, and I think that’s one of the bigger problems we have overall in the computer security industry – CAs, and how we implicitly trust companies that sell certificates, either for SSL encryption of websites or certificates for code signing. CA stands for ‘certificate authority’, basically a company that everybody blindly trusts – simply because, well, you blindly trust these companies. VeriSign and GoDaddy are the biggest certificate authorities in the world, and number three is Comodo.
And overall, there are hundreds, maybe thousands of different certificate authorities and then regional authorities, which are basically resellers for these bigger CAs. You can see these CAs if you go to your web browser, and if you look into Settings – and you’ll find the list of CAs which basically you trust, which are built into your browser. And this list differs a bit, like Firefox might have a hundred different CAs it trusts, Chrome might have fifty or so.
Firefox has dropped the Lock symbol because they are going after more screen space, so they have a different sign, the blue and green kind of logo next to the address, indicating you are on a secure site.
I think kind of the problem being that secure does not necessary mean validation of identity. In iKey case, there was usage of Japanese web shop in order to get that kind of lock or that HTTPS connection, but because it was a mobile worm it didn’t show you that it was the wrong certificate.
That’s the point, I mean, having a SSL connection doesn’t really guarantee that you are connected to who you think you connected. It does guarantee that the connection is encrypted. And when a CA sells a certificate, they are really supposed to check that they actually sell it to the party who actually is who they claim to be, but that’s where they often fall short.
He created seven or eight certificates for mail.yahoo.com, mail.google.com, hotmail – so basically email services; and then addons.mozilla.org, which is basically the site where Firefox gets the extensions and add-ons for the browser.
Comodo said that they believed this was a state sponsored attack coming from Iran. And they didn’t really go into details. They just said that the IP addresses were coming from Iran. But they apparently had some other information as well, which made them make that comment.
And of course we learned later, when the actual hacker, or the guy who claimed to be the hacker, came to publicity over messages he posted to Pastebin and to Twitter, that apparently yes, he was from Iran.
This is not the first time with Comodo, thinking of certificate authority and being compromised. There was also another case in August.
Going back to the point about the code signing, one of our researches in the lab did a paper related to certificates for signing binaries. And in August 2010, there was a case of corporate identity theft in which Comodo issued a certificate to an individual spoofing a company, where they didn’t actually produce software.
What basically happened was that we found a sample which was signed by a code signing certificate. It was obviously malware, so we were surprised it was signed. We contacted the company that had signed it. And this company didn’t do any development at all. They were baffled, like, how come they had signed a program, because they don’t do any programs.
So there was a company that doesn’t do any code development, yet they had applied and received a code signing certificate from Comodo. And apparently what had happened is that somebody had broken into this company, broken into one of their computers and issued a code signing request, or applied for a certificate from Comodo, and got it then for the name of the company. That person had accessed the system’s email.
A phone call was made, and the person whose email was used was reached by phone, and they said ‘No’, they were kind of confused as to what the question even meant. And that’s probably part of the problem, people seeking in such a way to validate: “Hey, you are the one asking for a certificate, right?” The second time they came around, the person said: “Yes, I guess I approved this”, not knowing what it was that he or she was approving.
So the problem is that certificate authorities were founded in the 90s, basically when the web started, in 1994, 1995. So the structure probably hasn’t scaled very well with the growth of the Internet. So making a phone call to somebody in order to say “Hey, you are the person who runs this website, you actually did ask for the certificate, correct?” – is pretty tricky to do when there are seven billion people on the planet, and probably as many websites that will be in the future. How many millions of them have SSL certificates now, nobody knows. And it’s tough even knowing exactly how many CAs and RAs (regional authorities) there are.
Just go and look into your browser, you’ll find that you blindly trust CAs from China, from Bermuda, from Tunis. So the situation with SSL, HTTPS, and CAs isn’t really that great.
