Browsers vulnerable to fraudulent SSL certificates

Security researcher ioerror has discovered a suspected Certificate Authority compromise. This may allow an attacker to impersonate a high-value website by presenting a fraudulent SSL certificate which nonetheless satisfies a browser's validity checks:

"A Certification Authority appeared to be compromised in some capacity, and the attacker issued themselves valid HTTPS certificates for high-value web sites. With these certificates, the attacker could impersonate the identities of the victim web sites or other related systems, probably undetectably for the majority of users on the internet."

ioerror discovered the compromise last week, but responsibly offered to embargo his findings until the launch of Firefox 4. Mozilla yesterday announced that it had revoked these fraudulent certificates and updated Firefox 4.0, 3.6 and 3.5 to recognise the fraudulent certificates and block them automatically.

By examining recent source code revisions in Chromium and Firefox, ioerror discovered certificate revocation lists (CRLs) for certificates issued by The USERTRUST Network, which is part of Comodo.

ioerror found 11 revoked certificates, which he believes could indicate a compromise at USERTRUST:

"This is evidence of a rather serious event and one that cannot be ignored. If I had to make a bet, I'd wager that an attacker was able to issue high value certificates, probably by compromising USERTRUST in some manner"

Furthermore, ioerror suggests that many users are probably still updating and therefore remain vulnerable to "the failure that is the CRL and OCSP method for revocation."

Mozilla revealed that addons.mozilla.org was one of the certificates acquired by the attacker, and ioerror called upon Comodo to disclose which other sites had been targeted.

Two years ago, a Comodo reseller erroneously issued an SSL certificate to an unverified party. Eddy Nigg demonstrably exploited a lack of validation by Certstar in order to obtain a legitimate domain-validated certificate for mozilla.com – a domain he did not own.