updated 3/24/2011 8:48:10 AM ET 2011-03-24T12:48:10

Several security certificates used to authenticate and encrypt Web sessions have been found to be fraudulent, and could be deployed to trick users out of personal information on high-profile websites including Google, Yahoo and Skype.

Microsoft issued a statement today (March 23) warning that nine corrupted secure sockets layer (SSL) certificates could allow an attacker to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users, including users of Internet Explorer.”

Secure Sockets Layer (SSL) is an encryption protocol to ensure secure Internet connections. By using a fraudulent SSL certificate, an attacker can gain access to sensitive information from a website by posing as a legitimate third party.

The nine corrupted security certificates were issued by a hacker who used a stolen user name and password to access a server of the New Jersey-based IT firm Comodo, security firm Kaspersky Lab reported. Comodo said the attack was traced back to an IP address in Iran.

Comodo wrote on its website that it is possible the perpetrators had political motives to carry out the attacks.

“It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups,” Comodo wrote.

Both Mozilla and Google Chrome have already issued updates to recognize and automatically block the phony SSL certificates. Microsoft has issued a security update for all versions of Windows to address the problem.

Independent security researcher Jacob Appelbaum, who goes by the online handle “ioerror,” discovered last week that the Google Chrome and Mozilla Firefox browsers had blacklisted certain SSL certificates without explaining why.  He contacted Google and Mozilla, who admitted the security breach but asked him to delay making the news public until Microsoft could blacklist them as well.

Currently working for the University of Washington, Appelbaum has in the past been targeted by U.S. law enforcement agencies for his involvement with WikiLeaks.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments