Break in the SSL Chain of Trust Prompts Security Updates

Most of you have probably never heard of Comodo, yet this medium-sized security company is directly responsible for last week’s Apple security updates for Mac OS X and iOS. In fact, Comodo is responsible for security updates issued for every major Web browser and consumer operating system over the past few weeks.

How does one relatively unknown security company trigger a rash of updates in so many different products? The answer reveals more about flaws in the chain of trust of the Internet than any particular product weaknesses.

Among other aspects of their business, Comodo is a provider of the digital certificates that power the encrypted SSL/TLS (generally shortened to just SSL) connections we use to protect our communications over the Internet. Whenever you see the little lock icon in the corner of your browser you are using SSL. It means your connection is encrypted, and that, supposedly, the Web site you are visiting really is what it says it is. This technology is used to secure your connections to everything from MobileMe to your bank. SSL is also used to protect other connections and protocols — including secure email and certain VPNs.

SSL relies on digital certificates — special files that use different aspects of cryptography, including cryptographic signatures — to build a chain of trust. Certificates are used to sign other certificates in a highly secure fashion that identifies every member of the entire chain, allowing your computer to decide who to trust. These chains always lead back to a root certificate authority (CA). All Web browsers, and most operating systems, include the public certificates for CAs trusted by the browser or OS manufacturer, which enables your computer to know who to trust without you having to make the decision yourself.

Normally this system works well. Our banks and other online providers purchase SSL certificates from the CAs, which validate the identity of the company and issue the certificate (a file) signed by the CA. The customer company then installs that file on their Web server to enable secure connections. People who don’t want to pay for a signed certificate (which can be expensive) can generate their own, but since such self-signed certificates aren’t signed by a root CA, anyone visiting the site will see a warning from their browser and have to make a manual exception to accept it. (Very large companies often set up their own CA and install their certificate on employee systems to skip this warning).

But there are three cases where the system can break down. In the first, someone creates a fake certificate with the name of a real site and tricks the user into accepting it. The second problem is if the certificate authority issues a certificate for the wrong company. We’ve seen this happen a few times for companies like Microsoft, and the Electronic Frontier Foundation’s SSL Observatory project, which tracks the over 650 CAs, found numerous certificates issued for names like “localhost” and “exchange” that could be used by an attacker in what’s called a “man in the middle attack.” It’s also suspected that less-than-friendly foreign governments issue certificates for
known sites to intercept citizen and visitor traffic.

The third and final case is what Comodo experienced on 15 March 2011. An attacker, believed to be a student from Iran, compromised a Comodo reseller and issued valid certificates for seven major domains including Microsoft, Yahoo, Skype, and Mozilla.

Comodo responded immediately, adding those certificates to its revocation list, and Mozilla and Microsoft released updates for Firefox and Windows on 22 March and 23 March 2011. Technically, all browsers and operating systems will check for revoked certificates, but since this activity can be blocked (and is often disabled), the only certain way to remove the certificates is by blacklisting them using software updates. Apple followed with their updates on 15 April 2011 (see below), and rolled in some additional small changes.

As well as SSL works, incidents like this highlight the weaknesses in the system (covered in depth in this excellent Economist article by our own Glenn Fleishman). With so many certificate authorities, including some with poor business processes, it is nearly impossible to assure that our chain of trust is actually trustworthy. While this shouldn’t change your online practices today, it’s worth understanding the system and keeping a skeptical eye in case you notice something unusual.

Meanwhile, here’s additional information about Apple’s updates.

iOS 4.3.2 — The most significant of the updates, iOS 4.3.2 goes beyond the security problems to fix an issue that occasionally caused blank or frozen video during a FaceTime call, and also addresses a problem that prevented some international users from connecting to 3G networks on the 3G iPad. On the security side, along with blacklisting the spurious updates, iOS 4.3.2 includes fixes for a problem with library randomization, a pair of WebKit vulnerabilities, and a Quick Look vulnerability.

Security Update 2011-002 — This update, available for Mac OS X 10.6.7 Snow Leopard (4.43 MB), 10.5.8 Leopard (241.35 MB), and 10.5.8 Leopard Server (473.19 MB), includes only the fix necessary to blacklist the spurious certificates.

iOS 4.2.7 for iPhone (CDMA) — This update, available only via iTunes, updates iOS 4.2.5 or 4.2.6 running on the CDMA-based Verizon iPhone 4 to address not just the spurious certificates, but also iOS 4.3.2’s WebKit and Quick Look vulnerabilities.

Safari 5.0.5 — As you might expect, Safari 5.0.5 mimics the changes in iOS, blacklisting the spurious certificates and rolling in the WebKit fixes, which presumably also patch WebKit for all other applications that use it (ranging from iTunes to Google Chrome). Safari 5.0.5 requires either Mac OS X 10.5.8 or Mac OS X 10.6.5 or later and is a 46.83 MB download.