How can a domain be impersonated with a fraudulent SSL certificate?

There are multiple ways to exploit a compromised certificate.

If you have a compromised website certificate, you need to get people onto your server when they type the address of the compromised one. This can be done:

  • By getting control of a DNS server, there you can basically change the association of a website URL to your server IP address.
  • By performing a DNS cache poisoning attack
  • By performing a Man in the Middle attack (e.g. you own a router) between your target and the website, thus redirecting him to your own server

If you have compromised a root CA certificate, you can do even better. Since you have the "master" key you can forge false certificate in the name of whoever you want. Therefore you are able to impersonate any website. This is mostly valuable to someone who can fully control a DNS server (closed internet countries for example) as they can invisibly spy onto each and any internet connections made on any website, since they can forge certificate on the fly and perform man in the middle attacks.


A Certificate Signing Request (CSR) sent to a Certificate Authority (CA) contains a Public Key, so merely having a hooky TLS cert wouldn't be enough to get up to bad business: you'd also need the Secret Key used to cut the Public Key in the CSR. Finally, you'd need to hack the victim's DNS to redirect traffic. If your security is this bad, TLS certs are not your problem... Certainly possible to compromise TLS, but not easy or straightforward.

Now in the incident you reference, the Iranian hacker(s) compromised a Comodo reseller CA, transmitting their-the hackers'- own Public Key with the CSR- so they had the Secret key relating to the Public Key sent to the CA- they did not need to thieve it from their victim. So they were most of the way there, but they'd still need to hack DNS to redirect traffic to their hooky server(s). Merely having a compromised cert won't do anything until you can get traffic flowing to the host it's configured on