Twitter followers these days could notice an intensive buzz about the recent Comodo case – a serious security breach within the system of trusted authorities for web certificates. The news is, however, not in ‘what’ or ‘how’, but rather in ‘who’ and ‘why’. The suspects: the governmental structures of Iran. The possible motive: eavesdropping on its citizens on global communication channels.
Technically speaking, what is this all about? When we type the web address of our bank or social network platform into a browser, our Internet service provider’s DNS (Domain Name System) server translates the alphanumeric domain name address (such as www.facebook.com) into a unique numeric IP address that computers and servers use to identify themselves (e.g. Facebook is 188.8.131.52), thus linking our computer with the server under this number. But, who can guarantee that the DNS will not adversely cheat us and link us to a bogus copy that has a homepage that looks exactly the same as Facebook’s? Such bogus websites can allow their owners to steal our usernames and passwords for social networks or online email accounts, but more seriously our credit card numbers and PINs to our bank accounts also.
Years ago, in order to make our browsing experience more reliable and secure – especially in cases of online payments or when accessing private areas – online businesses agreed with browser platform providers (Google, Firefox, etc) to introduce the concept of reliable digital certificates for websites: each public website can obtain a secured digital certificate that certifies to users that the requested web address is linked to only certain IP numbers and servers approved by the owners. Thereby, our browser would warn us of a bogus web page if our DNS linked us to any server other than that (or those) approved by the owner of the website we requested: for example, only a server with the IP address of 184.108.40.206 (and a number of others confirmed and hosted by Facebook) would be certified as the www.facebook.com server.
The two features of this system of digital certificates for websites make it very trustworthy:
a) Technical: digital certificates are based on the reliable SSL (Secure Sockets Layer) protocol that relies on public-key cryptography – one of the most reliable cryptographic methods.
b) Economic: the system of issuing SSL certificates for websites is a well-developed market with countless multinational companies involved as clients (Microsoft, Google, Skype, major banks and online payment systems, etc.), and several other big companies acting as trusted Certificate Authorities (CA) for certificates integrated with web browsers – such as VeriSign or Comodo – that look carefully over their procedures for ensuring the real identity of the owners of the certificates they issue and certify.
So the global uneasiness resulting from the recent incident with Comodo comes as no surprise.
Yet, following the golden principle of security – a chain is only as strong as its weakest link – the perpetrators managed to get into the system by compromising less secure user accounts with one of many affiliate registration authorities (RA) under Comodo’s trusted root CA. Pretending to be the corrupted RA, the perpetrators implemented a well-prepared, sophisticated action to register nine bogus certificates for famous websites such as those of Google, Skype and Yahoo! The operation, had it not been uncovered, would have resulted in our browsers not objecting to being linked to a bogus server for Google, Yahoo! or Skype –the IP numbers of those bogus servers would also be within the certificates issued by the trusted CAs. Wired magazine featured an interesting analysis of the case.
This news was alarming; the reactions of Comodo, Microsoft, Mozilla, and others were prompt. But – there was more.
To really (mis)use the potential of these ‘rogue certificates’ and attract many users to access the nine bogus sites believing they were accessing the original ones, a perpetrator would also need to take control of one or more DNS servers and make them cheat us. The DNS system is (still) way more vulnerable than the SSL, and temporarily hijacking the DNS servers is not ‘a big deal’; but to have the impact on a greater number of Internet users, one would need to hijack DNS servers higher up in the hierarchy – those of major national telecoms or beyond. Moreover, an effort to break the SSL system for such important websites would make sense only if the hijacking of part of the DNS system was perennial, not temporary; while hijacking can be only temporary – until uncovered and restored, longer-term control can be obtained only through physical or ‘political’ control over its management.
One more detail was noticeable from the Comodo report: ‘The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might)’ – the bogus certificates were requested for the following well-known websites: mail.google.com (GMail), login.live.com (Hotmail), www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org (Firefox extensions). The aim of the perpetrators was thus not to obtain financial benefit, but rather to endanger privacy – for personal, business, or possibly political benefit.
Lastly, Comodo experts claim they have traced the origin of this cyber-attack back to Tehran, Iran. Geo-localisation of the users (and attackers) according to their IP address is becoming more and more sophisticated; but so are the anonymisers that hide the IP address of the original sender – thus there is also a possibility that the attacker attempted to lay a false trail.
The reasons for believing that some governmental structures have implemented such a sophisticated well-planned cyber-attack to break into the communication identities and records of (some of) their citizens are found primarily in the fact that the platforms focused on were communication rather than financial ones, and in the suspicion that such an attack would need a strong, long-lasting second pillar in the form of the control of the (national?) DNS infrastructure. Tracing the attack back to Iran only gives a possible political context.
Concerns over the SSL or DNS vulnerabilities are not new, and will probably never really disappear but will periodically be replaced by slots of trust in new secure protocols and slots of mistrust due to the evolution of hactivism. The concern that the governments have become more aware of the growing importance of the Net is not brand new either. A growing concern is that the states now use skilful, sophisticated, ‘undercover’ hacking actions to achieve their national or international goals. The Comodo case adds to a number of recent examples, including the Stuxnet virus (industrial worm) allegedly produced by Israeli-US secret services to destroy Iranian nuclear facilities, or the case of a state-owned Chinese telecommunications firm that re-routed some 15% of world web traffic through its own servers for a short while.