Last modified: Thursday, March 24, 2011
After Comodo breach, Internet users urged to update browsers
FOR IMMEDIATE RELEASE
March 24, 2011
BLOOMINGTON, Ind. -- Indiana University's Center for Applied Cybersecurity Research is strongly encouraging Internet users to update their web browsers following the compromise of a Certificate Authority -- discovered Wednesday (March 23) -- that leaves potentially valuable data at risk of being intercepted and stolen.
Though you may not have heard of Certificate Authorities (CA), they play an instrumental role in securing the Internet, according to CACR Deputy Director Von Welch.
"Just as the government issues forms of identification to prove your identity, CAs serve as proof of digital identities, called certificates, to secure websites that let your web browser know that it is really talking to sites like Google, Yahoo!, or your bank," Welch said.
But Wednesday morning, an independent security researcher published the results of an investigation that revealed a CA, Comodo, had been compromised and fraudulent certificates issued. Comodo later verified the compromise.
The list of certificates the attacker tried to generate includes many of the world's most popular communications and social media websites: Google, Yahoo!, Skype, Mozilla, and Windows Live, among others.
"Wednesday's CA compromise discovery means that those responsible for the breach could create fake websites that look and behave exactly like real ones and include the normal indication that the site you are visiting is secure," Welch said. "That could lead to passive eavesdropping on a user's communications with a website, including stealing passwords, emails, and other communications."
Welch said it is not yet clear what the motivations of the attacker are.
"Right now we don't believe anyone has been victimized by this yet. To be safe, update your web browser, including web browsers on mobile devices such as smart phones and tablets such as the iPad," Welch said. "Microsoft, Firefox, and Chrome have all released updates that protect against the fraudulent certificates that were discovered Wednesday. The rest are sure to soon follow." Check for available updates to your web browser and install them if prompted.
These simple fixes are easy to complete and will help protect you against vulnerabilities posed by the Comodo breach. In the future, however, Welch said there is a great need to create better mechanisms to deal with such compromises, including systems that can resist the compromise of a single certificate authority.
The Center for Applied Cybersecurity Research is a part of Indiana University's Pervasive Technology Institute, and affiliated with the IU Maurer School of Law.