Fraudulent Comodo SSL certificates
Digital certificate issuer Comodo reported an incident March 15, 2011 in which an attacker was able to issue nine fraudulent SSL certificates for seven different domains using the InstantSSL Certificate Authority (CA). Upon discovering the breach, Comodo immediately revoked the certificates. Software such as browsers and proxies that are not configured to check the revocation status of server certificates are vulnerable to man-in-the-middle and spoofing attacks.
By default, all versions of SGOS trust the Comodo InstantSSL CA. Any ProxySG that is not configured to check the revocation status of a certificate presented during an HTTPS session is vulnerable.
The nine fraudulent certificates were issued by the Comodo InstantSSL Certificate Authority (CA) to seven different domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, login.live.com, and "Global Trustee". In ProxySG, the Comodo InstantSSL CA is named UTN_USERFirst_HW.
ProxySG only validates server certificates if the SSL proxy has been enabled. Revocation checking must be enabled separately. Blue Coat encourages customers using SSL proxy to enable revocation checking for all HTTPS connections. If revocation checking has not been enabled and configured for HTTPS connections, ProxySG will accept any one of the nine fraudulent certificates as valid until the certificates expire.
ProxySG supports two mechanisms for revocation checking: Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). ProxySG 5.3, 5.4, 5.5, and 6.x support both mechanisms. ProxySG 4.3 supports only CRLs.
Both mechanisms require administrative configuration in order to be active. CRLs must be manually imported by the administrator for each CA. OCSP must be configured to use a specific OCSP responder or to use the OCSP responder specified in the certificate. For more information on configuring CRLs and OCSP, see the "Managing X.509 Certificates" in the ProxySG Administrator's Guide. Links to the documentation can be found in the References section below.
Blue Coat recommends that customers perform the following actions:
- Enable server certificate validation at least for the seven domains in the fraudulent certificates.
- Enable CRLs and/or OCSP for revocation checking.
- If using CRLs, install the latest Comodo InstantSSL CRL and ensure all other CRLs are current. The latest Comodo InstantSSL CRL can be downloaded here: crl.comodo.net/UTN-USERFirst-Hardware.crl.
- If using OCSP, examine the ignore settings for the OCSP responder. Ignoring failures, especially failures to connect with the OCSP responder, allows an attacker to circumvent revocation checking.
ProxySG will only check the revocation status of server certificates if the SSL proxy has been enabled. Customers who have not enabled the SSL proxy should ensure browsers have been upgraded with the latest security patches and have revocation checking enabled.
Customers who have enabled the SSL proxy but are unable to implement revocation checking can remove the Comodo InstantSSL CA from the list of trusted CAs used by the SSL Client. The name of the CA in ProxySG is UTN_USERFirst_HW. The CA certificate can be added back into the list of trusted CAs at a later time if desired.
Any CA certificate that is no longer trusted can be removed from the list of available CAs on ProxySG. After a CA certificate has been removed, it can no longer be in or added to a list of trusted CAs unless it is imported again.
Firefox, Internet Explorer, and other products have released patches that automatically reject the nine fraudulent certificates. SGOS will not be modified.
Comodo incident report: www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Comodo blog post: blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/
Comodo InstantSSL CRL: crl.comodo.net/UTN-USERFirst-Hardware.crl
Microsoft Security Advisory 2524375: www.microsoft.com/technet/security/advisory/2524375.mspx
Mozilla Firefox blog post: blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/
For more information on CRLs and OCSP, see the "Managing X.509 Certificates" of the SGOS documentation: 4.3, 5.3, 5.4, 5.5, 6.1, 6.2
2011-09-06 Marked status as final
2011-05-23 Added links to SGOS documentation.
2011-03-30 General clarifications on SSL proxy and added name of InstantSSL certificate in ProxySG, domains of fraudulent certificates, and where to find the CRL for the InstantSSL CA.
2011-03-24 Initial public release.