After reporting last week that it had issued banned certificates that could facilitate man in the middle (MitM) attacks, Comodo has fixed the “subtle bug” that the company's Senior Research and Development Scientist Rob Stradling wrote prompted the problem.
New rules issued by the CA/Browser Forum (CAB) and which took effect Nov. 1 had banned the issuance of new SSL/TLS certificates for internal host names yet the bug in a change to Comodo's production code caused the company to issue eight such certificates.
“The intent of this code change was to help ease the pain of the 1st November 2015 transition, by automatically deleting all Internal Names and Reserved IP Addresses from a certificate request just prior to issuing the certificate,” Stradling wrote in a post in the CAB Forum.
But the change removed the notAfter date (Nov. 1) that limited certificate issuance, which was appropriate in that context “since it should no longer have been necessary given that the Internal Names and Reserved IP Addresses were being deleted prior to issuance.”
But the bug caused the certificate issuance code, which “runs in a separate SQL context” and required the deletions to be committed “immediately,” to still “see the ‘deleted' names,” Stradling explained. He added that Comodo “prepared a hotfix” that it “deployed within a couple of hours” after discovering the bug.
“The affected customers have been contacted and the affected certificates have been revoked,” he said, pledging that the company will improve its quality control measures in its change control process as it relates to its role as a certificate authority (CA). Stradling noted that Comodo is likely not the only certificate authority that issued banned certificates. The company's expanded investigation “found non-compliant certificates issued by quite a number of other CAs,” he said.