Comodo admits two more Registration Authorities hacked

In that incident, a hacker calling himself 'ComodoHacker' – portraying himself as a patriot ” – claimed credit for the hack of a range of major site certificates from Comodo. Unconfirmed reports suggest the same individual was responsible for these latest hacks.

As reported previously, several digital certificates were obtained by deception from Comodo that could have resulted in the hijacking of a number of major websites such as lgin.skype.com, mail.google.com, login.live.com and other popular internet websites.

Robin Alder, Comodo's CTO, raised the alert around 7pm UK time yesterday evening, noting that the two hacked RA accounts had been suspended.

"Two further RA accounts have since been compromised and had RA privileges withdrawn. No further mis-issued certificates have resulted from those compromises", he said in a Usenet posting.

Paul Mutton, a security researcher with Netcraft, said that no details of which RAs have been hacked have been revealed, although he noted that the Iranian ComodoHacker appears to claim responsibility for these other attacks, judging from the hacker's own postings.

"From listed resellers of Comodo, I owned 3 of them, not only [the] Italian one, but I [am] interested more in [the] Italian breach because they had too many codes, works, domains, (globaltrust, cybertech, instantssl, etc.), so I thought they are more tied with Comodo", ComodoHacker reportedly posted.

Mutton, meanwhile, said that the modus operandi of ComodoHacker appears to be an exploited SQL injection vulnerability on InstantSSL.it.

"The attacker subsequently escalated his privileges and caused the fraudulent certificates to be issued. The ComodoHacker unarguably proved his involvement in this attack by publishing a private key which corresponded to the fraudulently issued certificate for addons.mozilla.org. This private key has since been removed", he said in his posting on the affair.

Reaction to the latest hack of Comodo's RA system has been harsh, with many IT security experts actively criticising the company.

In its security blog on the affair, Mozilla said that, in its early discussions, it was concerned that any indication that it knew about the attack would lead to attackers blocking any security updates it issued.

"We also recognized that the obvious mitigation advice we might offer (to change Firefox's security preferences to require a valid OCSP - online certificate status protocol - response in all cases, or to remove trust from Comodo's certificates, or both) risked causing a significant portion of the legitimate web to break as well", said Mozilla.

"Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack", it added.

According to Mozilla, in hindsight, while it was made in good faith, this was the wrong decision.

"We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects," said Mozilla's security blog.

As a result of its investigation, Mozilla has requested that Comodo carry out the following steps:

Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)

Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)

Cancel all relationship with the RA concerned. (So far: the RA is suspended.)

Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.

"This issue raises many questions about the systems surrounding authentication and security on the web. We intend to have a vigorous discussion about what technical and policy changes we can make to significantly improve the situation. You can join the discussion in the mozilla.dev.security.policy forum", concluded Mozilla.

What’s hot on Infosecurity Magazine?