Comodo Disables Faulty OCR

Status
Not open for further replies.

BoraMurdar

Super Moderator
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Comodo, the world's biggest certificate authority (CA), has disabled a faulty mechanism that would have allowed someone to request and successfully receive digital certificates for domains they don't own.

Florian Heinz and Martin Kluge of Vautron Rechenzentrum AG discovered the issue in September and contacted Comodo, who answered by disabling the buggy component.

The problem, as the two explain in an editorial for German tech news site Heise, was in the OCR (Optical Character Recognition) component used by Comodo in its automated process for issuing digital certificates.

Explaining the problem
Whenever someone visits Comodo's website to request an SSL certificate for his domain in order to support HTTPS traffic, they have to go through a verification process to prove they're the real owners of that domain.

Since Comodo is by far the leader in the HTTPS SSL certificate market, this process is automated to handle all the incoming user requests.

This verification process implies sending an email to the domain's owner, to verify that the request for a new SSL certificate came from someone in the company.

Comodo uses WHOIS records to extract the domain owner's email address and send the verification email. For some domains registered with .eu, .be, .at, and other extensions, this information is not stored in text format, but as an image, to deter spam bots.

Problem found in a faulty image-to-text component
For this, Comodo uses an OCR component to scan the photo and detect the text. According to the two researchers, this OCR module has problems in recognizing "l" (small capital letter L) from "1" (number one) and "o" (small capital O) from "0" (number zero).

The two researchers say Comodo, or the company that developed the component, were aware of this bug and set up some special rules to handle these character recognition issues.

When the OCR component read l/1, if the character was followed by a number, it would be "one," and if it would be followed by a letter, then it would be "small L." The same for 0/o.

Attackers could register SSL certificates for other websites
The researchers tested this issue by registering a domain "altelekom.at" and requesting an SSL certificate for "a1telekom.at", one of Austria's largest telecom providers.

The OCR component misread the WHOIS data as expected, and sent the confirmation email to the wrong domain. Attackers could leverage this technique to obtain SSL certificates for sensitive domains, which they can use for man-in-the-middle attacks to intercept and decrypt HTTPS traffic.

Obviously, this flaw is limited to domains that contain the four problematic characters, but this was an issue that was active on the Comodo SSL issuance system for a long time.

Currently, Mozilla engineers are investigating the problem. Despite fixing the reported problem, Comodo may land in hot water with browser vendors because it didn't report the problem in September when it was fixed.

From Softpedia
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
According to the two researchers, this OCR module has problems in recognizing "l" (small capital letter L) from "1" (number one) and "o" (small capital O) from "0" (number zero).
We all have this problem with sans fonts, is it an I or l?

I is capital i
l is lowercase L
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top