Comodo hack may reshape browser security

A breach that let a hacker spoof digital certificates for Google.com, Yahoo.com, and other Web sites is prompting browser makers to rethink security.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

Major browser makers are beginning to revisit how they handle Web authentication after last month's breach that allowed a hacker to impersonate sites including Google.com, Yahoo.com, and Skype.com.

The efforts are designed to remedy flaws in the odd way Web security is currently handled. Currently, everyone from the Tunisian government to a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices and scores of German colleges are trusted to issue digital certificates for the largest and most popular sites on the Internet.

Microsoft's manager for trustworthy computing, Bruce Cowper, told CNET that the company is "investigating mechanisms to help better secure" certificate authorities, which issue trusted digital certificates used to encrypt Web browsing, against this type of attack.

On Friday, Ben Laurie, a member of Google's security team, said the Mountain View, Calif., company is "thinking" about ways to upgrade Chrome to highlight possibly fraudulent certificates that "should be treated with suspicion."

If the technology were widely adopted and glued into major browsers, that would have made last month's Comodo breach a non-event. The Jersey City, N.J.-based company announced on March 23 that an intruder it traced to Iran compromised a reseller's network and obtained fraudulent certificates for major Web sites including ones operated by Google and Microsoft. The FBI is investigating.

Comodo alerted Web browser makers, which immediately scrambled to devise ways to revoke the fraudulent certificates. There's no evidence the certificates were misused.

Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation who has compiled a database of public Web certificates, says one way to improve security is to allow each Web site to announce what certificate provider it's using.

Each browser trusts as many as 321 certificate authorities equally, a security nightmare that allows any of them to publish fake certificates for, say, Google.com. It's as if hundreds of superintendents in New York City had the master keys to every unit in every apartment building--as opposed to the normal practice of one master key per each superintendent.

Eckersley says browsers should be developing "a way for each domain name holder to persistently specify its own private certificate authority if it wishes to." Once that is established, "mistakes at any one of thousands of other organizations would no longer give hackers a magic key to your systems," he says.

Securing domain names with a technology called DNSSEC will also play a "large" role, he says. Other long-term technical fixes that have been proposed have names like DANE, HASTLS, CAA (Comodo's Philip Hallam-Baker is a co-author), and Monkeysphere.

Comodo's revelations have highlighted the flaws of the current system. There is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance, some of which have their own certificate authorities.

The Internet death penalty
Another option would invoke the Internet death penalty: revoking Comodo's status as a trusted source of digital certificates. Each major browser has a different list of which certificate authorities are trusted, and Comodo appears on all of them. (See related CNET article and spreadsheet.)

Mozilla says in a Web page that it is "interested in more detailed impact assessments" of how the death penalty applied to Comodo--an unprecedented punishment--would work in practice.

Cowper declined to provide details about whether a similar step is being considered for Internet Explorer: "Microsoft will not discuss any decision about Comodo's membership in the Windows Root Certificate Program." He added: "Microsoft is in ongoing discussions with Comodo regarding this incident. After completing this review and evaluating the appropriate mitigation steps, Microsoft will ensure that Comodo and other (certificate authorities) comply with any updated program requirements."

Microsoft already requires that certificate authorities submit "complete a qualified audit and submit the audit report" every 12 months. So does Mozilla.

Google's Chrome browser relies on the list of trusted certificates compiled by Microsoft and, under OS X, Apple. "We haven't deviated from the default lists, nor do we have current plans to," a Google spokesman says. Apple did not respond to a request for comment.

Melih Abdulhayoglu, Comodo's founder and chief executive, says that security has been tightened as a result of the breach in an Italian partner's network.

"There is no 100 percent security," Abdulhayoglu added. He said that "any large" issuer of digital certificates is susceptible to concerted attacks. "VeriSign and Comodo, we've both had issues."

Norway-based Opera Software, maker of the eponymous Web browser, is considering a "move towards stricter requirements regarding having revocation information available before allowing a secure connection to complete."

Opera's Yngve Pettersen wrote in a blog post last Thursday that such a requirement would make it easier to revoke certificates that were issued fraudulently.