Researchers have warned about the strength of security certificates, after hackers created fake versions of Gmail. Skype and several other leading web services.
The Comodo Group certification authority claimed hackers working for the Iranian state created fake certificates for six-sites including Google, Yahoo and Mozilla’s add-ons.
“It doesn’t escape notice that the domains targeted would be of greatest use to a government attempting surveillance of internet use by dissident groups,” noted Comodo’s principle scientist, Phillip Hallam-Baker.
The fake certificates would let the attackers re-route users to spoof versions of those sites to steal login details and monitor behavior – regardless of whether the site used SSL encryption.
Following the attack, researches called for a closer look at the system’s security. “This is a rare attack. I don’t recall any other case where the attackers would have broken in to the Certificate Authority (CA) just so they could generate rouge certificates, “ said F-Secure’s chief research officer Mikko Hypponen.
“A SSL certificate security review is long overdue. Certificate authorities don’t have a good enough security checks in place and browsers support a long list of legacy CA’s” he added.
“Did you know your browsers blindly trust certificates used by a company in China? In Bermuda? In Rumania? Because they do”