Detecting Certificate Authority Compromises and Web Browser Collusion

From Freedom to Tinker: “Today, the public learned of a previously undisclosed compromise of a trusted Certificate Authority — one of the entities that issues certificates attesting to the identity of “secure” web sites. Last week, Comodo quietly issued a command via its certificate revocation servers designed to tell browsers to no longer accept 9 certificates. …

“This implied that the certificates were likely malicious, and may even been used by a third-party to impersonate secure sites. …

“Clearly, something exceptional happened behind the scenes. Security hacker Jacob Appelbaum did some fantastic detective work using the EFF’s SSL Observatory data and discovered that all of the certificates in question originated from Comodo — perhaps from one of the many affiliated companies that issues certificates under Comodo’s authority via their ‘Registration Authority’ (RA) program. Evidently, someone had figured out how to successfully attack Comodo or one of their RAs, or had colluded with them in getting some invalid certs.”

Jacob Appelbaum is a UW Security and Privacy Lab researcher and a Tor developer. You can read more about Jacob’s discoveries here.