Until today, doing online banking or using your credit card to make purchases online was generally safe as long as you made sure that the website was using https (rather than just http) and you knew and trusted the company you were doing business with.

However, that has now changed as this blogger has discovered.  (Slashdot discussion here.)  I confirmed that the mozilla.com cert that blogger set up does in fact work — and that is most definitely a serious problem.

In short, one of the SSL certificate authorities run by a company called Comodo has been handing out SSL certificates that it shouldn’t have been, meaning that malicious parties could now have fully legitimate certs for paypal.com, royalbank.com, amazon.com, or anything for all we know.  This makes it considerably easier for hackers to spoof those websites and trick you into giving them your credit card number or other sensitive/valuable information.  You may go to your online banking site, and it might look just like you would expect from past experience, and there would be no errors or warning messages, but in fact when you enter your password number it’s going to a hacker or crime ring.

This is really a crippling blow to internet security.  It will get fixed, but until it does the best course of action is to NOT TRUST any websites with information that you wouldn’t want to be abused.  Virtually any formerly secure website could be compromised as a result of this.  For myself, I won’t make any online purchases or use online banking until there is a proper fix or at least an independent way to confirm the validity of the specific SSL certs that I would be depending on to trust those websites.

Update 1:21pm: Good discussion of this on the mozilla.dev.tech.crypto list, with Comodo participating.

Update 2008-12-31: Comodo has identified and revoked the offending certificates, so the immediate threat of this issue has passed.

Blogged with the Flock Browser