Fraudulent Digital Certificates

Discussion in 'Mac Apps and Mac App Store' started by munkery, Mar 26, 2011.

  1. munkery, Mar 26, 2011
    Last edited: Mar 26, 2011

    munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #1
    The online digital certificate issuer, Comoda, was recently hacked and digital certificates for the following domains have become publicly available:

    login.live.com
    mail.google.com
    login.yahoo.com
    login.skype.com
    addons.mozilla.org

    These digital certificates have been added to Certificate Revocation List (CRL). The Online Certificate Status Protocol (OCSP) will block these certificates if being used in spoofing as well.

    Enabling Safari to use the CRL and OCSP will provide protection from these, now invalidated, certificates.

    System-wide use of the CRL and OCSP can be enabled via Keychain Access. On the "Certificates" pane of the Preferences of Keychain Access, set the following:

    Online Certificate Status Protocol (OCSP): Best Attempt
    Certificate Revocation List (CRL): Best Attempt
    Priority: OCSP

    http://blog.intego.com/2011/03/24/protect-safari-from-fraudulent-digital-certificates/
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    Good "heads up"! I already had those enabled, but I'm sure many don't. Thanks!
     
  3. munkery, Mar 26, 2011
    Last edited: Mar 26, 2011

    munkery thread starter macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #3
    In relation to certificate spoofing, continue to make sure to click the lock to manually verify digital certificates. Novel forged certificates may not be in the CRL or OCSP.

    These stolen or forged certificates would be used in man-in-the-middle (MITM) attacks. MITM attacks that occur on LAN networks can be detected by Mocha.
     
  4. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #4
    That's a feature in OS/X I wasn't aware of. I have now set it up. Thanks!
     
  5. munkery, Mar 26, 2011
    Last edited: Mar 26, 2011

    munkery thread starter macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #5
    Supposedly using CRL and OCSP does have the cost of extra bandwidth and slower speed when making secure connections. But, I find this performance tax negligible and I use an encrypted search engine. Obviously, this depends on the number of machines on the network and the speed of the connection. I do not notice any impact on my small home network.

    Also, recently released versions of Firefox and Chrome include built-in support for blocking these stolen certificates but that functionality is limited to the browser. The CRL and OCSP can also be utilized by Mail and other apps so it is recommended that this be enabled system-wide even if you use Firefox or Chrome.
     
  6. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #6
    I couldn't imagine the added bandwidth needed would be much at all. Maybe if one had a 36.6kbs dial up modem they'd notice.

    What secure search engine do you use?
     
  7. munkery thread starter macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #7
  8. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
  9. komseban macrumors member

    Joined:
    Dec 27, 2010
    #9
    I did as suggested, but what are the implications of these certificates being let out to the public?
    Sorry, I'm not too knowledgeable when it comes to stuff like this.
    Qn Q..

    [edit.]

    Just read the blog.
    C:
     
  10. munkery thread starter macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #10
    An attacker could make fake login webpages for Gmail, Hotmail, and Yahoo. Then, set up a man-in-the-middle attack that includes DNS spoofing so that when users browse to the login page for one of those email services, the users would be redirected to the fake page. The stolen certificates would make the fake page appear to be real page when users view the digital certificate.

    When users log in to the fake page, their usernames and passwords are stolen by the attacker. The attacker then can use the stolen credentials for various purposes such as spam or attempting to reset passwords for other logins, such as bank logins.

    Skype login credentials could be stolen in a similar matter then used to make phone calls or generate spam. The Mozilla addon certificate could be used to hijack the installation of Firefox extensions to propagate malware.
     

Share This Page