You always use Gmail. A fake certificate for Gmail was issued on 15th March. What does this mean for you? Are you protected against such kinds of attacks?
On March 15th, an account belonging to a Comodo RA was compromised. The attacker went on to create certificates for 9 popular websites. The attack was discovered by Comodo’s internal controls & the RA account has been suspended. The certificates were revoked (via both CRL and OCSP)
The domain names of the certificates were as follows:
* addons.mozilla.org
* login.live.com
* mail.google.com
* www.google.com
* login.yahoo.com (x3)
* login.skype.com
* global trustee
Symantec advises the following:
1. Upgrade to the latest version of your browser of choice
2. Turn on OCSP checking in your browser settings
3. Choose EV SSL (the SSL that turns the browser address bar green)
If you use Firefox you are protected if you have ticked the option “When an OSCP server connection fails, treat the certificate as invalid”
(Tools -> Options -> Advanced -> Encryption -> Validation) or if you have not updated your firefox after March 23, 2011.
Browser support of OCSP checking
* Internet Explorer starting with version 7 on Windows Vista (not XP) supports OCSP checking[1]
* All versions of Mozilla Firefox support OCSP checking. Firefox 3 enables OCSP checking by default.[2]
* Safari on Mac OS X supports OCSP checking but it has to be manually activated in Keychain preferences.[3]
* Versions of Opera from 8.0[4][5] to the current version support OCSP checking.
* Google Chrome supports OCSP checking.[3]
What happened was as follows:
An account of an RA was compromised. i.e. The user ID & password of a user ID at a reseller in Europe was compromised. Using this account, the hacker (from Iran) submitted CSR (certificate signing requests) for some prominent domain names. These requests got into the Comodo system and certificates for these sites were automatically created. But, the errors were soon discovered by Comodo. This shows that process that they have adopted after the incident should be in-line. i.e. the checks should have taken place before the certificate was issued.
As soon as Comodo discovered the attack, they RA account was syspended. The certificates were revoked via both CRL (Certification Revocation List) and OCSP (Online Certificate Status Protocol). A certification revocation list is a list that browsers can download and check for the status of a certificate. In case of OSCP, which is a newer protocol, a CA may host an OCSP server and a browser may query the OCSP server to know the status of the certificate. So, if you had enabled OCSP checking in your browser and you had somehow navigated to the site holding the fake certificate, your browser would have told you not to trust the certificate. The right action at that time would be to not visit the page (some people just ignore the warning and visit the page anyway).
It is believed by Comodo that this attack is a handiwork of the Iranian government.
It is worth noting that this is not the first time that Comodo has been compromised; they were similarly compromised in 2008.
Can you tell your browser to stop trusting Comodo? Unfortunately not; Comodo is one of the biggest CAs and suddenly not trusting them will stop you from visiting the sites they have certified.
So, as a user of the above mentioned sites the best course of action would be to upgrade your browser and turn on OCSP checking in your browser.