Comodo: Web Attack Broader Than Initially Thought
An attack in which someone fraudulently obtained digital certificates for some major Web sites–which could have been used to impersonate those sites–was broader than originally reported, according to Comodo, a firm that issues the certificates.
Two additional Registration Authorities, or RAs, that resell digital certificates for Comodo have been compromised, in addition to the original RA breached a week ago, Comodo said yesterday.
“Two further RA accounts have since been compromised and had RA privileges withdrawn,” Robin Alden, chief technology officer at Jersey City, N.J.-based Comodo, wrote in a post on a Mozilla Developer security policy Google Groups thread. “No further mis-issued certificates have resulted from those compromises.” .
Last Wednesday, Comodo, a Jersey City, N.J.-based firm that issues digital certificates, revealed that nine digital certificates for Google, Yahoo, Skype, Microsoft and other major Web sites were fraudulently obtained and later revoked when the breach was discovered. A fraudulent certificate would allow someone to impersonate the secure versions of those Web sites–the ones that are used when encrypted connections are enabled–in some circumstances. That RA was “thoroughly compromised” and its account deactivated, Alden said.
It’s unclear when the new RAs were compromised or how. A Comodo spokeswoman said executives were not able to comment until later today.
“We are rolling out improved authentication for all RA accounts. We are implementing both IP address restriction and hardware based two-factor authentication,” Alden wrote. “The roll-out of two-factor tokens is in progress but will take another couple of weeks to complete. Until that process is complete Comodo will review 100 percent of all RA validation work before issuing any certificate.”
Yesterday, Comodo founder Melih Abdulhayohlu told CNET that that the FBI was investigating. He also confirmed that a reseller in Italy called GlobalTrust had been compromised.
Comodo representatives blamed the attack on the government of Iran, because IP addresses used in the attack were traced back to Tehran. Since then, someone using the alias “ComodoHacker” and “ichsunx” has stepped forward claiming responsibility and publicly posting the private encryption key for Mozilla’s add-ons domain. The hacker claims to be a 21-year-old cryptography expert and unaffiliated with the government of Iran, although stridently nationalistic.
In a post on Pastebin on Tuesday, the ComodoHacker says he hacked “a lot of resellers” and “owned” three of Comodo’s. “I even installed a keylogger on their server and I was monitoring administrators who logged in,” he wrote.
The revelations highlight fundamental problems of integrity with the system for approval of digital certificates that underpin transactions and trust on the Internet. At the moment, there is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. And there are no mechanisms to prevent fraudulent certificates from being issued by compromised companies, or repressive regimes bent on surveillance.
