Fraudulent Digital Certificates

[munkery]

The online digital certificate issuer, Comoda, was recently hacked and digital certificates for the following domains have become publicly available:

login.live.com
mail.google.com
login.yahoo.com
login.skype.com
addons.mozilla.org

These digital certificates have been added to Certificate Revocation List (CRL). The Online Certificate Status Protocol (OCSP) will block these certificates if being used in spoofing as well.

Enabling Safari to use the CRL and OCSP will provide protection from these, now invalidated, certificates.

System-wide use of the CRL and OCSP can be enabled via Keychain Access. On the "Certificates" pane of the Preferences of Keychain Access, set the following:

Online Certificate Status Protocol (OCSP): Best Attempt
Certificate Revocation List (CRL): Best Attempt
Priority: OCSP

http://blog.intego.com/2011/03/24/protect-safari-from-fraudulent-digital-certificates/

 

[GGJstudios]

System-wide use of the CRL and OCSP can be enabled via Keychain Access. On the "Certificates" pane of the Preferences of Keychain Access, set the following:

Online Certificate Status Protocol (OCSP): Best Attempt
Certificate Revocation List (CRL): Best Attempt
Priority: OCSP

Good "heads up"! I already had those enabled, but I'm sure many don't. Thanks!

 

[munkery]

In relation to certificate spoofing, continue to make sure to click the lock to manually verify digital certificates. Novel forged certificates may not be in the CRL or OCSP.

These stolen or forged certificates would be used in man-in-the-middle (MITM) attacks. MITM attacks that occur on LAN networks can be detected by Mocha.

 

[S.B.G]

That's a feature in OS/X I wasn't aware of. I have now set it up. Thanks!

 

[munkery]

Supposedly using CRL and OCSP does have the cost of extra bandwidth and slower speed when making secure connections. But, I find this performance tax negligible and I use an encrypted search engine. Obviously, this depends on the number of machines on the network and the speed of the connection. I do not notice any impact on my small home network.

Also, recently released versions of Firefox and Chrome include built-in support for blocking these stolen certificates but that functionality is limited to the browser. The CRL and OCSP can also be utilized by Mail and other apps so it is recommended that this be enabled system-wide even if you use Firefox or Chrome.

 

[S.B.G]

I couldn't imagine the added bandwidth needed would be much at all. Maybe if one had a 36.6kbs dial up modem they'd notice.

What secure search engine do you use?

 

[munkery]

I use https://duckduckgo.com/ because it doesn't track users and it redirects users to encrypted logins for many popular websites, such as Twitter and Facebook, using code from HTTPS Everywhere.

https://www.eff.org/https-everywhere

 

[S.B.G]

Very cool, I'll check them out.

 

[komseban]

I did as suggested, but what are the implications of these certificates being let out to the public?
Sorry, I'm not too knowledgeable when it comes to stuff like this.
Qn Q..

[edit.]

Just read the blog.
C:

 

[munkery]

An attacker could make fake login webpages for Gmail, Hotmail, and Yahoo. Then, set up a man-in-the-middle attack that includes DNS spoofing so that when users browse to the login page for one of those email services, the users would be redirected to the fake page. The stolen certificates would make the fake page appear to be real page when users view the digital certificate.

When users log in to the fake page, their usernames and passwords are stolen by the attacker. The attacker then can use the stolen credentials for various purposes such as spam or attempting to reset passwords for other logins, such as bank logins.

Skype login credentials could be stolen in a similar matter then used to make phone calls or generate spam. The Mozilla addon certificate could be used to hijack the installation of Firefox extensions to propagate malware.