Sophos Cloud Optix
Earlier today a person calling himself ComodoHacker made a submission to text posting site Pastebin.com. Similar to a previous post by ComodoHacker it is fair to call it a bit of a bragging rant.
Last March ComodoHacker claimed responsibility for the first attack against a certificate authority that resulted in bogus SSL certificates being issued in the wild.
In addition to claiming his attacks are far more sophisticated than Stuxnet and distancing himself from the Iranian government, he also claims to have compromised four other certificate authorities, including GlobalSign.
GlobalSign, the fifth largest certificate issuer according to NetCraft, responded to this news by immediately ceasing any further signing of certificates while they investigate.
Their response is interesting. While we don’t know if they have been compromised (and arguably, neither do they) they are making a tough choice that is what we should expect from organizations whose business models rely on trust.
It’s possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution.
That’s great news. Let’s hope that the accusations are false and everything is safe and secure at GlobalSign and the other three unnamed victims.
While I have argued for a long time that the certificate system is fragile and arguably broken, I’d rather not have two examples in one week to support my arguments.
With the whole SSL breach, and the fact that everyone seems to be data mining visits and searches, why does https://nakedsecurity.sophos.com return:
"nakedsecurity.sophos.com uses an invalid security certificate.
The certificate is only valid for the following names:
*.wordpress.com , wordpress.com
(Error code: ssl_error_bad_cert_domain)"?
That's a tricky one.
If you do the DNS lookups, you'll see that nakedsecurity.sophos.com is just a CNAME to sophosnews.wordpress.com – we're hosted by WordPress.com VIP – and that's why the certificate says "*.wordpress.com".
If you start at https://nakedsecurity.sophos.com/ then the certificate will match.
The bigger claim pretty much everybody has missed (so far) is that he has certificates to sign Windows Update packages. Pretty much every Windows PC out there has Windows Update enabled (it’s enabled by default since Windows XP SP2, in 2004) – and the only thing which authenticates updates is code signing. Considering this guy managed to get *.Google.com certification with code signing in the certificate – uhm!
After conclusive evidence have surfaced which proved the fraudulent certs were used almost exclusively against Iranian citizens, I am surprised to see there are still security experts who refer to the culprit as some random egotistic Iranian hacker who is “distancing himself from the Iranian government” and thus help the real culprit evade the blame.
Although it's better to work on this crappy certificate mechanism, it's useful to know that there is a rich, wealthy hacker named Iranian government. Don't be fool to think that this guy did it alone.