Attackers managed to trick a HTTPS/TLS Certificate Authority into issuing fraudulent certificates. The improperly issued certs covered high-value domains including google.com, login.yahoo.com and addons.mozilla.org. One cert was for "global trustee" which could have enabled the impersonation of any domain on the web.
The CA involved, Comodo, said that one fraudulent login.yahoo.com cert was briefly deployed on an Iranian server. The attack on Comodo came primarily from IP addresses from Iran.
The system attacked acts as a guarantee of identity for some of the world's most popular web services. The certificate acts as a digital passport which is checked by the web browser in use. Most browsers have since been updated to detect the use of the bogus certificates to protect users. An obtained fraudulent certificate could aid in impersonating a popular web service on a malicious server.
Comodo said the attack exhibited "clinical accuracy" and added it was likely to be a state-driven attack. Since it came from Iranian sources and appears to have targeted mainly web communications services, it is thought to have been carried out at the request of Iranian authorities in pursuit of opposition groups in the country that use the web to coordinate their activities on the ground.
The incident has raised questions about web security in general. An article on the Electronic Frontier Foundation's website is worth a read.
Written by: James Delahunty @ 25 Mar 2011 20:51