Comodo has confirmed that two additional registration authorities (RAs) affiliated with the company also were compromised in a highly publicized SSL certificate fraud attack disclosed last week.
No additional forged certificates were issued as a result of the latest compromises, according to Comodo. Further, the company has suspended the registration authority privileges of its two latest affected resellers.
Robin Alden, CTO of Comodo, announced the new compromises on a Mozilla web group discussion thread that was created after the initial attack.
“Two further RA accounts have since been compromised and had RA privileges withdrawn,” Alden wrote in the message, posted Tuesday. “No further mis-issued certificates have resulted from those compromises.”
Comodo, a Jersey City, N.J.-based company that issues digital SSL certificates used by websites to validate their identity to visitors, revealed last week that an attacker had compromised one of the company's European resellers and issued nine fraudulent digital certificates for high-profile sites such as Google, Yahoo, Skype and Microsoft's Hotmail.
While Comodo said the sophistication of the intrusion indicated that it was state-sponsored, an Iranian hacker over the weekend took responsibility for the attack and claimed that he acted alone and was not part of any such political agenda.
The intruder, calling himself “Comodohacker,” has posted several lengthy documents on the text-sharing site Pastebin, offering up details about the incident. In the latest document, posted Tuesday, the hacker said it was a difficult infiltration that took time.
“From listed resellers of Comodo, I owned 3 of them,” the hacker wrote.
While rogue certificates were quickly revoked, the incident was serious enough to prompt Comodo to institute new controls and for the major web browsers – Mozilla's Firefox, Microsoft's Internet Explorer and Google's Chrome – to issue updates to their browsers last week.
In response to rampant concerns about the trustworthiness of its certificate generation system from customers, browser companies and others in the security community, Comodo's Alden said the company is in the process of rolling out hardware-based, two-factor authentication for its resellers to ward off attacks in the future.
The process could take several weeks to complete and, in the meantime, Comodo has promised to review all reseller validation work prior to issuing any certificates.
Mozilla, in particular, criticized Comodo for allowing RAs to issue certificates directly from the root that the company maintains, a practice that eliminated some possible attack mitigations. In response, Comodo said it plans to move away from this practice.
Brian Trzupek, vice president of managed identity and SSL at Trustwave, a rival SSL certificate authority, told SCMagazineUS.com on Wednesday that Comodo has had a “track record” of trust issues dating back to at least 2008, when one of the company's resellers, CertStar, issued an SSL certificate for Mozilla.com without validation.
Moreover, Comodo's solution of implementing two-factor authentication, while an improvement, may not have prevented the initial attack, he said.
“The hacker that did this said he had a zero-day for Windows 2003,” Trzupek said, referencing a tweet from the supposed intruder. “A second factor wouldn't help that.”