A matéria a seguir, publicada aqui, fala de um ataque bem sucedido a Comodo que fez com que certificados falsos de diversos serviços populares fossem emitidos, e levanta alguns dos problemas do modelo pouco controlado de centenas de ACs que são "confiadas" pelos navegadores hoje em dia.
Solução? O pessoal da industria vai dizer EV-SSL, mas e aí, até quando pro EV-SSL ceder a mesmo tipo de problema?
Web Browsers and Comodo Announce A Successful Certificate Authority Attack, Perhaps From Iran
By Steve Schultze - Posted on March 23rd, 2011 at 2:05 pm
Today, the public learned of a previously undisclosed compromise of a trusted Certificate Authority -- one of the entities that issues certificates attesting to the identity of "secure" web sites. Last week, Comodo quietly issued a command via its certificate revocation servers designed to tell browsers to no longer accept 9 certificates. This is fairly standard practice, and certificates are occasionally revoked for a variety of reasons. What was unique about this case is that it was followed by very rapid updates by several browser manufacturers (Chrome, Firefox, and Internet Explorer) that go above and beyond the normal revocation process and hard-code the certificates into a "do not trust" list. Mozilla went so far as to force this update in as the final change to their source code before shipping their major new release, Firefox 4, yesterday.
This implied that the certificates were likely malicious, and may even been used by a third-party to impersonate secure sites. Here at Freedom to Tinker we have explored the several ways in which the current browser security system is prone to vulnerabilities [1, 2, 3, 4, 5, 6]
Clearly, something exceptional happened behind the scenes. Security hacker Jacob Applebaum did some fantastic detective work using the EFF's SSL Observatory data and discovered that all of the certificates in question originated from Comodo -- perhaps from one of the many affiliated companies that issues certificates under Comodo's authority via their "Reseller Authority" (RA) program. Evidently, someone had figured out how to successfully attack Comodo or one of their RAs, or had colluded with them in getting some invalid certs.
Applebaum's pressure helped motivate a statement from Mozilla and a statement from Microsoft that gave a little bit more detail. This afternoon, Comodo released more details about the incident, including the domains for which rogue certificates were issued: mail.google.com, www.google.com, login.yahoo.com, login.yahoo.com, login.yahoo.com, login.skype.com, addons.mozilla.org, login.live.com, global trustee. Comodo noted:
"The attack came from several IP addresses, but mainly from Iran."
"this was likely to be a state-driven attack"
It is clear that the domains in question are among the most attractive targets for someone who wants to surveil the personal communications of many people online by inserting themselves as a "man in the middle." I don't have any deep insights on Comodo's analysis about the attack's origins, but it seems plausible. (I should note that although Comodo claims that only one of the certificates was "seen live on the Internet", their mechanism for detecting this relies on the attacker not taking some basic precautions that would be well within the means and expertise of someone executing this attack.)
What does this tell us about the current security model for web browsing? This instance highlights a few issues:
Too many entities have CA powers: As the SSL Observatory project helped demonstrate, there are thousands of entities in the world that have the ability to issue certificates. Some of these are trusted directly by browsers, and others inherit their authority. We don't even know who many of them are, because such delegation of authority -- either via "subordinate certificates" or via "reseller authorities" -- is not publicly disclosed. The more of these entities exist, the more vulnerabilities exist.
The current system does not limit damage: Any entity that can issue a certificate can issue a certificate for any web site in the world. That means that a vulnerability at one point is a vulnerability for all.
Governments are a threat: All the major web browsers currently trust many government agencies as Certificate Authorities. This often includes places like Tunisia, Turkey, UAE, and China, which some argue are jurisdictions hostile to free speech. Hardware products exist and are marketed explicitly for government surveillance via a "man in the middle" attack.
Comodo in particular has a bad track record with their RA program: The structure of "Reseller Authorities" has led to poor or nonexistant validation in the past, but Mozilla and the other browsers have so far refused to take any action to remove Comodo or put them on probation.
We need to step up efforts on a fix: Obviously the current state of affairs is not ideal. As Applebaum notes, efforts like DANE, CAA, HASTLS, and Monkeysphere deserve our attention.
"Then you will know the truth, and the truth will set you free"
There are currently 1 users browsing this thread. (0 members and 1 guests)