Another Certificate Authority Compromised
There has been much activity during the month of September regarding the compromise of yet another Certificate Authority. DigiNotar, a Dutch Certificate Authority, was the victim of a compromise that appears to have been sustained for at least two months. Similar to the Comodo issue discussed in March 2011, illegitimate certificates were issued for a wide range of domains which included *.google.com, *.microsoft.com, and login.yahoo.com.
In scenarios like this, the issuance of such certificates could allow a malicious third party to impersonate an organization by way of serving potentially malicious websites that look like the real thing, and are even signed to appear as having legitimate identity. It appears that the rogue certificates have since been revoked, and vendors like Microsoft have begun to issue software updates that include additions to their Certificate Revocation Lists (CRLs). CRLs are used by such software as Internet Browsers, for instance, to determine whether or not a site is trustworthy.
Although the cleanup efforts for this issue appear to have been largely effective, the cost to DigiNotar was significant. In a final twist, the Dutch government has taken over operational control of the organization, and DigiNotar has since filed for bankruptcy.
Browser Exploit Against SSL/TLS (BEAST)
Researchers have developed a potential method for decrypting SSL/TLS 1.0 communications between a web browser and server. Dubbed BEAST, the “Browser Exploit Against SSL/TLS” is reported to demonstrate an attack against known weaknesses in Cipher-Block-Chaining (CBC) algorithms such as AES. In what appears to be a combination of Cross-Site-Scripting (XSS) and Man-in-the-Middle (MiTM) attacks, this technique demonstrates the potential for the theft of HTTPS session cookies which could lead to potential SSL session hijacking.
Although issues with CBC algorithms are not new, and upgrading servers to use the TLS v1.2 protocol appears to be a potential solution, the majority of browsers active on the Internet are dependent upon TLS v1.0. The good news is that browsers such as Microsoft’s Internet Explorer 9 and Opera 10.x already support TLS v1.2 and Google has just recently published updates to fix this issue for their Chrome browser.
