Two more Comodo resellers "owned" in SSL hack

Share this article:

Comodo has confirmed that two additional registration authorities (RAs) affiliated with the company also were compromised in a highly publicized SSL certificate fraud attack disclosed last week.

No additional forged certificates were issued as a result of the latest compromises, according to Comodo. Further, the company has suspended the registration authority privileges of its two latest affected resellers. 

Robin Alden, CTO of Comodo, announced the new compromises on a Mozilla web group discussion thread that was created after the initial attack.

“Two further RA accounts have since been compromised and had RA privileges withdrawn,” Alden wrote in the message, posted Tuesday. “No further mis-issued certificates have resulted from those compromises.”

Comodo, a Jersey City, N.J.-based company that issues digital SSL certificates used by websites to validate their identity to visitors, revealed last week that an attacker had compromised one of the company's European resellers and issued nine fraudulent digital certificates for high-profile sites such as Google, Yahoo, Skype and Microsoft's Hotmail.

While Comodo said the sophistication of the intrusion indicated that it was state-sponsored, an Iranian hacker over the weekend took responsibility for the attack and claimed that he acted alone and was not part of any such political agenda.

The intruder, calling himself “Comodohacker,” has posted several lengthy documents on the text-sharing site Pastebin, offering up details about the incident. In the latest document, posted Tuesday, the hacker said it was a difficult infiltration that took time.

“From listed resellers of Comodo, I owned 3 of them,” the hacker wrote.

While rogue certificates were quickly revoked, the incident was serious enough to prompt Comodo to institute new controls and for the major web browsers – Mozilla's Firefox, Microsoft's Internet Explorer and Google's Chrome – to issue updates to their browsers last week.

In response to rampant concerns about the trustworthiness of its certificate generation system from customers, browser companies and others in the security community, Comodo's Alden said the company is in the process of rolling out hardware-based, two-factor authentication for its resellers to ward off attacks in the future.

The process could take several weeks to complete and, in the meantime, Comodo has promised to review all reseller validation work prior to issuing any certificates.

Mozilla, in particular, criticized Comodo for allowing RAs to issue certificates directly from the root that the company maintains, a practice that eliminated some possible attack mitigations. In response, Comodo said it plans to move away from this practice.

Brian Trzupek, vice president of managed identity and SSL at Trustwave, a rival SSL certificate authority, told SCMagazineUS.com on Wednesday that Comodo has had a “track record” of trust issues dating back to at least 2008, when one of the company's resellers, CertStar, issued an SSL certificate for Mozilla.com without validation

Moreover, Comodo's solution of implementing two-factor authentication, while an improvement, may not have prevented the initial attack, he said.

“The hacker that did this said he had a zero-day for Windows 2003,” Trzupek said, referencing a tweet from the supposed intruder. “A second factor wouldn't help that.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.