Comodo SSL Certificate Breach’s Potential Impact on Security Token Services and their Identity Providers

Recently, Iranian crackers used a username and password to make certificate requests from the Comodo Certificate Authority. These requests were successful and certificates were issued for 9 domains which are published on the Comodo Fraud Incident Report page: http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

This issue is of particular importance to me because SSL is the primary mechanism by which integrity and confidentiality are assured for security Security Tokens and Security Token Requests. My latest blog post provides instructions on how to add Yahoo and Google as Identity Providers to Windows Azure AppFabric Access Control Service v2.0. The fraudulent certificates are for the major Identity Provider sources on the Internet (e.g. mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, login.live.com, global trustee). These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all internet application users (in my view, it potentially impacts more than just applications accessible via web browsers). Although the sky is far from falling, this breach does illuminate some pretty significant vulnerabilities in our Internet security infrastructure, which need to be tightened.

Revocations of your computer’s trust of these certificates can be obtained via a web browser update (which is also very unfortunate as it makes the procedure for responding to such security threats extremely cumbersome and hard to orchestrate). In short though, you (and/or your application users) must update your web browsers to gain protection. Here are a few links for popular web browsers:

Microsoft IE Browser: http://support.microsoft.com/kb/2524375
Firefox Browser: http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
Google Chrome: Tools/About (update will install automatically if you are online)
Apple Safari: http://www.apple.com/safari/
Opera: http://www.opera.com/download/

Each web browser is different, but to verify that you are protected, navigate to the certificate store of your browser and find the “Untrusted Publishers” tab (or equivalent). You want to see the list of domains above in the “Issued To” column of untrusted publishers. The following is from Internet Explorer:

Please notice that there are only EIGHT certificates in the revocation list. I am puzzled as to why the “www.google.com” certificate is missing; however more information was not readily available at the time I wrote this blog post.