Comodo, which brands itself as “Global Leader in Cyber Security Solutions”, turns out to have a crappy backend and certification management systems.
Two European security researchers exploited these systems to obtain a HTTPS certificate for a domain they do not own. The certification could be used to impersonate the website, allowing passwords and other sensitive information to be swiped from victims in man-in-the-middle attacks.
Florian Heinz and Martin Kluge of Vautron Rechenzentrum AG found that the CA uses optical character recognition (OCR) software to process requests for certificates. This image-recognition system is designed to ensure server-side certs are only sent to the registered owner of that domain.
Comodo uses OCR to parse screen grabs of records from domain-name registries or registrars when verifying the ownership of a website. Thanks to shortfalls in the OCR system used, Comodo can fail to distinguish an authentic domain name from one with similar characters (such as the number “1” instead of the letter “l”) and end up giving valid certificates to owners of the fake domain.
According to the researchers, the issue is due to privacy protections in place on the .eu and .be domains. In order to prevent the scraping of contact details, some registries and registrars do not allow automated WHOIS lookups to pull email addresses. Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot.
Comodo normally relies on the automated WHOIS lookup to verify its applications. When a person requests a certificate via email, the CA gets the contact information from the WHOIS lookup and sends a verification message to that address, at which point the applicant would click a link to verify they own that domain and obtain their certificate. When the owner’s address can’t be read automatically for .be and .eu domains, Comodo uses the OCR to match the characters, which is where the researchers found their flaws.