March 24, 2011

Rogue SSL certificates issued by Comodo

Patrik Runald

SSL certificates are used to validate the identity of a Web site to users. Yesterday Comodo, a certificate vendor, announced that nine SSL certificates had been bought and issued for the following domains: 

  • mail.google.com (Gmail)
  • login.live.com (Hotmail and Microsoft Live services)
  • www.google.com
  • login.yahoo.com (three different certificates)
  • login.skype.com
  • addons.mozilla.org (Firefox extensions)
  • "Global Trustee" 

Comodo added the rogue certificates to their Certificate Revocation List (CRL) in the evening of March 15, 2011 and Microsoft, Mozilla etc have released updates to their browsers since then.


What does this mean?

The rogue SSL certificates could have been used to set up Web sites that provide fake login services for the services listed above (Gmail, Yahoo, Live, Skype etc). By doing that, whoever was behind this could steal user names and passwords even though the traffic was encrypted with SSL and the user wouldn't know anything was wrong. With the updated CRL list the user would get a warning when visiting a site using any of the rogue certificates and would hopefully not enter any credentials. 

Comodo states in their report that a user account at one of their affiliate partners was compromised and used to issue the rogue certificates. The attacker used several IP addresses when doing this, but mainly used an IP address from Iran. According to the investigation done by Comodo the attacker was very quick to issue the certificates, knew exactly which domains to issue them for, and didn't waste any time when doing this.


How do Websense products protect users?

Users who have Windows Update enabled will receive the revoked CRL automatically for Internet Explorer, and if you have automatic updates enabled for any other browser it will download the the CRL as well. Our products also have the ability to check the validity of a SSL certificate and the benefit of doing that is that the product will do it for all users, regardless of which browser they use and if they have the update or not. This feature is not enabled by default  in Websense Content Gateway, so follow the steps below to enable the CRL verification.

If unsure we recommend that you contact your Technical Account Manager to discuss how this change will affect the user experience in your particular environment.

  1. Log on to Content Gateway Manager.

  2. Go to Configure > My Proxy > Basic > Features > HTTPS, and enable HTTPS Protocol.
  3. Go to Configure > My Proxy > Basic > Restart and select Restart to enable the SSL Inspection (SSL Manager).
  4. Go to Configure > My Proxy > SSL > Validation > General and configure the page as follows:
    • Select Enable the certificate verification engine
    • Clear Deny certificates where the common name does not match the URL (see below)
    • Verify that Check certificate revocation by CRL is selected
    • Click Apply

  5. Optional step: Select the Verification Bypass tab and make sure the following options are selected. 
    Important note: This is an optional step that depends on your organization's security policy. If you choose this option, users will have the ability to continue browsing to dangerous Web sites with potential rogue SSL certificates, so if you don't wish to give users this choice, skip this step.

    This will prompt the user with a warning message informing them that the certificate is invalid, but they will have the option to click Continue to visit the page.
  6. Select the Revocation Settings tab and make sure that the automatic download of new CRL lists is enabled:


If the automatic download was disabled, we recommend that you force an update to make sure the latest CRL lists are downloaded. If the download was already enabled, you don't have to do this as the updated CRL list from Comodo was released on March 15 and your Websense product will already have the list installed. Regardless if you have the CRL verification turned on or not, the Advanced Classification Engine will scan the content from any site, including those using the rogue SSL certificates, as long as you have SSL inspection turned on, and block all malicious code.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.