Comodo SSL Certificate Breach’s Potential Impact on Security Token Services and their Identity Providers

Recently, Iranian crackers used a username and password to make certificate requests from the Comodo Certificate Authority. These requests were successful and certificates were issued for 9 domains which are published on the Comodo Fraud Incident Report page: http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

This issue is of particular importance to me because SSL is the primary mechanism by which integrity and confidentiality are assured for security Security Tokens and Security Token Requests. My latest blog post provides instructions on how to add Yahoo and Google as Identity Providers to Windows Azure AppFabric Access Control Service v2.0. The fraudulent certificates are for the major Identity Provider sources on the Internet (e.g. mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org, login.live.com, global trustee). These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all internet application users (in my view, it potentially impacts more than just applications accessible via web browsers). Although the sky is far from falling, this breach does illuminate some pretty significant vulnerabilities in our Internet security infrastructure, which need to be tightened.

Revocations of your computer’s trust of these certificates can be obtained via a web browser update (which is also very unfortunate as it makes the procedure for responding to such security threats extremely cumbersome and hard to orchestrate). In short though, you (and/or your application users) must update your web browsers to gain protection. Here are a few links for popular web browsers:

Microsoft IE Browser: http://support.microsoft.com/kb/2524375
Firefox Browser: http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
Google Chrome: Tools/About (update will install automatically if you are online)
Apple Safari: http://www.apple.com/safari/
Opera: http://www.opera.com/download/

Each web browser is different, but to verify that you are protected, navigate to the certificate store of your browser and find the “Untrusted Publishers” tab (or equivalent). You want to see the list of domains above in the “Issued To” column of untrusted publishers. The following is from Internet Explorer:

image

Please notice that there are only EIGHT certificates in the revocation list. I am puzzled as to why the “www.google.com” certificate is missing; however more information was not readily available at the time I wrote this blog post.

Work at the Speed of Ideas in Azure.

We are not short on ideas and increasingly businesses want to implement them as quickly as possible.
This is putting a burden on development teams to accelerate development without sacrificing quality.

We developed a best of breed platform designed specifically for Azure to enable end-to-end automation and testing.
Our service accelerates the deployment of e-commerce sites, corporate websites and portals, and mobile web applications.
Customers get to improve time-to-revenue with a reliable, predictable, and repeatable delivery platform.

Button Text

Consistent through stages.

We enable your teams to work in a logical and linear progression from inception to reality.

Version and release control.

The platform is designed to facilitate a continuous delivery cycle using Agile methodologies.

Accelerate time-to-market.

You will streamline all aspects from identifying problems, rolling back to known good versions, and deploying at anytime of the day.

Get a Quote

The Problem with Release Management.

The need to release faster and better quality is growing quickly. The inability to keep up with changing demand can be especially challenging for e-tailers who compete for customer mind-share. The need to move faster and faster results on more possibility of errors. With web development a common symptom of errors are broken links resulting from:

  • Renaming or moving a webpage and forgetting to change the internal link
  • Linking to content (documents, videos, forms, etc.) that has been moved or deleted
  • Linking to external pages where the URL changed or the page moved

Broken links impact Search Engine Optimization (SEO) which can easily reduce traffic to a site. More importantly, broken links have a direct impact on reputation, customer confidence, and completing a transaction. Broken links are a simple example of a very visible break down in testing and proper release management processes.

This is where automation and testing can become a catalyst to business but it is not as easy as it looks:

  • The tools to improve release management are complex, multi-origin, and rapidly changing
  • Not all are platform certified for public clouds such as Azure and can be unwieldy to deploy

Put an End to Release Headaches.

We built this service for companies, e-tailers, and web development agencies who demand a better solution to ensure rapid development of content and features. It is ideally suited for automating the release and testing process for a Content Management System (CMS). Users benefit from the ability to:

  • Develop new features and capabilities faster and ensure they will not break the site or application as code gets promoted:
    • a:1:{i:0;s:3:”yes”;}
  • Reduce manual quality control (QC) processes:
    • a:1:{i:0;s:3:”yes”;}
  • Evolve test coverage over time through an on-going consultative process:
    • a:1:{i:0;s:3:”yes”;}
  • Manage code promotion across distributed locations:
    • a:1:{i:0;s:3:”yes”;}
Stay Informed

Sign up for the latest blogs, events, and insights.

We deliver solutions that accelerate the value of Azure.
Ready to experience the full power of Microsoft Azure?

Atmosera is thrilled to announce that we have been named GitHub AI Partner of the Year.

X