Comodo hack may reshape browser security

05 Apr

Major browser makers are rise to revisit how they handle Web attestation after last month’s breach that allowed a hacker to impersonate sites including,, and

The efforts are designed to counteraction flaws in the odd way Web bulwark is currently handled. Currently, everyone from the Tunisian body politic to a wireless carrier in the United Arab Emirates that implanted spyware adhering customers’ BlackBerry devices and scores of German colleges are trusted to amount ~d digital certificates for the largest and principally popular sites on the Internet.

Microsoft’s manager for trustworthy computing, Bruce Cowper, told CNET that the copartnership is “investigating mechanisms to help less ill secure” certificate authorities, which issue trusted digital certificates used to encrypt Web browsing, close up to this type of attack.

On Friday, Ben Laurie, a clause of Google’s security team, said the Mountain View, Calif., company is “mind” about ways to upgrade Chrome to highlight peradventure fraudulent certificates that “should be treated with suspicion.”

If the technology were widely adopted and glued into major browsers, that would have made ultimate month’s Comodo breach a non-conclusion. The Jersey City, N.J.-based crew announced on March 23 that each intruder it traced to Iran compromised a reseller’s network and obtained fraudulent certificates for major Web sites including ones operated ~ dint of. Google and Microsoft. The FBI is investigating.

Comodo alerted Web browser makers, what one. immediately scrambled to devise ways to recall the fraudulent certificates. There’s nay evidence the certificates were misused.

Peter Eckersley, a more advanced staff technologist at the Electronic Frontier Foundation who has compiled a database of of the whole not private Web certificates, says one way to improve assurance is to allow each Web station to announce what certificate provider it’s using.

Each browser trusts to the degree that many as 321 certificate authorities equally, a guarantee nightmare that allows any of them to broach fake certificates for, say, It’s viewed like if hundreds of superintendents in New York City had the master keys to every unit in every apartment building–during the time that opposed to the normal practice of any master key per each superintendent.

Eckersley says browsers should be developing “a way for each branch name holder to persistently specify its have private certificate authority if it wishes to.” Once that is established, “mistakes at any one of thousands of other organizations would in ~ degree longer give hackers a magic explanation to your systems,” he says.

Securing lands names with a technology called DNSSEC behest also play a “large” role, he says. Other tedious-term technical fixes that have been proposed be delivered of names like DANE, HASTLS, CAA (Comodo’s Philip Hallam-Baker is a co-maker), and Monkeysphere.

Comodo’s revelations be the subject of highlighted the flaws of the current universe. There is no automated process to revoke fraudulent certificates. There is no general list of certificates that companies like Comodo obtain issued, or even which of its resellers or partners be in actual possession of been given a duplicate set of the master keys. There are none mechanisms to prevent fraudulent certificates in opposition to Yahoo Mail or Gmail from reality issued by compromised companies, or repressive regimes disposition on surveillance, some of which accept their own certificate authorities.

The Internet death penalty
Another option would invoke the Internet exit penalty: revoking Comodo’s status for example a trusted source of digital certificates. Each greater browser has a different list of what one. certificate authorities are trusted, and Comodo appears on all of them. (See related CNET part and spreadsheet.)

Mozilla says in a Web serving-boy that it is “interested in besides detailed impact assessments” of how the exit penalty applied to Comodo–an unexampled punishment–would work in practice.

Cowper declined to afford details about whether a similar step is vital principle considered for Internet Explorer: “Microsoft command not discuss any decision about Comodo’s being a member in the Windows Root Certificate Program.” He added: “Microsoft is in ongoing discussions by Comodo regarding this incident. After completing this overlook and evaluating the appropriate mitigation steps, Microsoft be pleased ensure that Comodo and other (certificate authorities) comply with any updated program requirements.”

Microsoft even now requires that certificate authorities submit “full a qualified audit and submit the audit report” every 12 months. So does Mozilla.

Google’s Chrome browser relies on the list of trusted certificates compiled by Microsoft and, under OS X, Apple. “We asylum’t deviated from the default lists, nor do we have current plans to,” a Google spokesman says. Apple did not respond to a beg for for comment.

Melih Abdulhayoglu, Comodo’s founder and chief executive, says that protection has been tightened as a resolution of the breach in an Italian participant’s network.

“There is no 100 percent deposit,” Abdulhayoglu added. He said that “in ~ degree large” issuer of digital certificates is excitable to concerted attacks. “VeriSign and Comodo, we’ve the two had issues.”

Norway-based Opera Software, former of the eponymous Web browser, is allowing for a “move towards stricter requirements regarding having revocation information available before allowing a careless connection to complete.”

Opera’s Yngve Pettersen wrote in a blog fix last Thursday that such a demand would make it easier to recant certificates that were issued fraudulently.

Leave a comment

Posted by on 2011/04/05 in Popular



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: