Comodo, the Jersey City, NJ security company whose reseller published fake certificates, disputes the allegation, saying at no point was anyone at risk.
Last week, attackers used a valid username and password to obtain nine SSL certificates -- used to prove that a site is legitimate --- of a Comodo affiliate. The certificates were for six websites, including Microsoft's Hotmail login sites, Google's Gmail, Skype's phone and chat service, and Yahoo Mail. A certificate for Mozilla's Firefox aggregates site was also obtained.
As revealed by Comodo, the company attacked to generate fake certificates, at least one of the certificates logon.yahoo.com was used to legitimize a fake Yahoo site hosted on an Iranian ISP.
According to Melih Abdulhayoglu the CEO and founder of Comodo there is highly circumstantial evidence that the Iranian government backed the attack on its partner to obtain SSL certificates. He added that the attack was "very well executed by cybercriminals. It was well planned and I knew exactly what they wanted to get."
Comodo waited eight days before revealing the attack, using that time to investigate, revoke certificates and contact browser makers such as Google, Firefox and Microsoft so they could release updates blocking fake certificates.
That delay put Iranians at risk, says Jacob Appelbaum, a researcher at the University of Washington's Security and Privacy Research Lab. Appelbaum independently discovered the certificate theft last week and contacted Comodo, Mozilla and Google about what it discovered.
On Tuesday, Appelbaum published its analysis on the Tor project blog. Tor is a system that allows people to anonymously connect to the Web and is often used in countries where the government monitors the online activity of their citizens.
"By keeping this silent for eight days, Comodo and others put lives at risk," Appelbaum says, referring to anti-government Activists from Iranians who may have been redirected to fake sites and thus reveal their identities and plans. "They were completely unable to protect themselves during that span of time. Users should have had this information earlier."
Appelbaum said Iranian authorities confront activists with online evidence of their alleged crimes during interrogations. "They regularly show those who are arrested their Internet traffic information," Appelbaum said.
Abdulhayoglu said there was no proof that anyone in Iran was at risk because of the delay in disclosure.
The only certificate that Comodo actually saw in use was one of three assigned to Yahoo, login.yahoo.com. "Only one certificate was seen live, and it was just a test," Abdulhayoglu said,
According to Comodo, the fake Yahoo site went offline just after the company revoked the fake certificates.
Comodo has not been able to confirm whether the attackers were actually able to get anything from the other eight certificates before they were revoked, Abdulhayoglu admitted. He also declined to share details about the attack, including the reseller whose account was used to acquire the certificates or how the attackers obtained the reseller's username and password, citing an ongoing judicial investigation.
Either way, there was no reason to disclose the theft before browser makers could patch their software to block the stolen certificates. "There's no point in revealing it if it doesn't have a remedy," Abdulhayoglu said. "There the patches, which make everyone safe."
Abdulhayoglu said the delay was necessary for "responsible disclosure," the practice of containing information about security vulnerabilities or issues until a fix is ready.
Google, Microsoft and Mozilla have each released updates to add the nine fake certificates to the blacklist in their browsers.
Google updated Chrome last week, and on Tuesday Mozilla released updates for Firefox. Microsodt released its update Wednesday for its Windows users.
But Appelbaum argues that no one -- except for the attacker who had the stolen certificates -- could have been damaged if Comodo and the others had published the news earlier.
"The only people who can attack using the certificates are those who have them," Appelbaum said. "I can't launch an attack, I'm only able to detect an attack using the certificates."
Translation: Raul Batista - Segu-Info
Author: Gregg Keizer
Source: Networkworld
