Accidentally Issued Fraudulent Certificates Could Help Phishers

Today, Microsoft released a Security Advisory warning that Comodo — one of their Windows Trusted Root Certification Authority partners — had accidentally issued nine fraudulent digital certificates for some very popular domains.

When you visit sites, digital certificates help ensure that the site you visit really is the one you think it is. Phishers often try to spoof popular sites in order to steal your credentials. Digital signatures can help prevent this by informing you when a site has an improper certificate, which doesn’t match the domain.

Unfortunately, Comodo mistakenly issued legitimate digital certificates to an unknown third party, giving that third party valid (though fraudulent) digital certificates for some very popular domains.

The affected domains or web properties include:

• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”

This means an attacker in possession of these fraudulent certificates can leverage them to either create very convincing spoofed sites for those domains, or to help them carry out Man-in-the-Middle (MitM) attacks, even when valid certificates are required.

That said, Comodo has already revoked the fraudulent certificatess. If your web browser supports Online Certificate Status Protocol (OCSP), and you’ve enabled it, then your browser should protect you from sites leveraging these false certificates.

Furthermore, Microsoft has also released a Windows update that revokes these signatures. If you have enabled automatic updates, you may have already received it. Otherwise, be sure to download and install it. Once you install Microsoft’s patch and/or enable OCSP, these fraudulent certificates should pose you no harm.

[UPDATE] Comodo has apparently messed up with certificates before.

– Corey Nachreiner, CISSP (@SecAdept)