SANS NewsBites | March 25, 2011 | Vol. 13, Num. 024: “SSL Security Compromised…Attackers compromised a partner of SSL certificate authority, Comodo and issued themselves fraudulent SSL certificates. The certificates vouch for a site’s authenticity, and would have allowed the thieves to set up sites that fool visitors into believing they have reached major Internet presences, like Google, Microsoft and Skype. Comodo has revoked the stolen certificates.”
Microsoft released an advisory on March 23, 2011 (2524375) noting that the following domains were affected:
- login.yahoo.com (3 certificates)
- addons.mozilla.org (already known from an earlier announcement by Mozilla)
- “Global Trustee”
Now, here’s where it gets interesting. The IP traced to the attacker was that of an Iranian ISP. Think about it. Here’s what Comodo had to say in their blog post:
The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP.
Of course, this could be just that the attacker was laying a false trail, which would be smart, but how about this?
It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in North Africa and the Gulf region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.
It’s a Brave New World.