[+] Wayc0de's Blog[+]

30/08/11

Attackers Obtain Valid Cert for Google Domains, Mozilla Moves to Revoke It

A certificate authority in the Netherlands issued a valid SSL wildcard certificate for Google to a third party in July, leading to concerns that attackers may have been using the certificate to route sensitive traffic through their own servers, capturing it and compromising user data in the process. The certificate was revoked by the CA, DigiNotar, after the problem came to light Monday.

The attack appears to have been targeting Gmail users specifically. Some users trying to reach the Gmail servers over HTTPS found that their traffic was being rerouted through servers that shouldn't have been part of the equation. On Monday afternoon, security researcher Moxie Marlinspike checked the signatures on the certificate for the suspicious server, which had been posted to Pastebin and elsewhere on the Web, and found that the certificate was in fact valid. The attack is especially problematic because the certificate is a wildcard cert, meaning it is valid for any of Google's domains that use SSL.

It's not clear who DigiNotar issued the certificate to at this point.

Security and privacy experts began discussing the problem Monday, after some people in Iran began posting messages to Twitter and elsewhere about the possibility of a man-in-the-middle attack by the country's government, using the certificate. The certificate was issued on July 10, and Mozilla said on Monday that it is planning to isue immediate updates to many of its products, including Firefox, Thunderbird and others, to remove the DigiNotar root CA.

"Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site.

We have received reports of these certificates being used in the wild," Mozilla security officials said in a blog post.

"Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root and protect users from this attack."

The problem with the fraudulent *.google.com certificate is quite similar to the results of the attack on Comodo earlier this year in which the attackers were able to compromise one of the company's European registration authorities and issue valid SSL certs for Gmail, Yahoo, Skype and several other high-value sites.

Firefox users who want to disable the browser's trust of the DigiNotar root immediately can do so by clicking on Options, then Advanced, then Encryption and then selecting the View Certificates option. Then scroll down to the DigiNotar root CA, click on it and then click on Delete or Distrust.

Tidak ada komentar:

Posting Komentar