The Register® — Biting the hand that feeds IT

Feeds

Comodo admits 2 more resellers pwned in SSL cert hack

How deep does the rabbit hole go?

By John Leyden, 30th March 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Comodo has admitted a further two registration authorities tied to the digital certificates firm were hit by a high-profile forged digital certificate attack earlier this month.

No forged certificates were issued as a result of the assault on victims two and three of the attack, but confirmation that multiple resellers in the Comodo community were compromised is bound to renew questions about the trust model applied by the firm.

Comodo has previously admitted that the compromise of one of its partners in southern Europe on 15 March allowed a hacker to generate bogus SSL certificates for Skype, Yahoo, Windows Live, mail.google.com and addons.mozilla.org. These certificates were revoked hours after they were issued, but the incident only became public a week later after browser developers including Microsoft and Mozilla had published updates. The certificates create a means to mount convincing man-in-the-middle or phishing attacks.

Earlier this week an Iranian hacker claimed responsibility for the assault, claiming that he acted alone and naming GlobalTrust.it and InstantSSL.it as the targets of his assault. He published fragments of digital certificate programming interfaces on Pastebin to substantiate his claims. The presumed hacker also posted the forged certificate for Mozilla that he created for himself, as well as the associated private key for this certificates.

The miscreant also published what he claimed were tables from files on Comodo's database in a post on Tuesday, as further proof of his self-described elite skills against those who doubted his initial claims. He called on Comodo to come clean about the hack, the exact motives for which remain more than a little unclear.

Comodo has now discovered that two more of its registration authorities (also unnamed) were hit by the same attack. Robin Alden, CTO of Comodo, stated in a post to mozilla.dev.security.policy about the attack: "Two further RA accounts have since been compromised and had RA privileges withdrawn. No further mis-issued certificates have resulted from those compromises."

Alden said Comodo was in the process of rolling out two-factor authentication products to its resellers (registration authorities), as a safeguard against future attacks. this process is likely to take around two weeks. In the meantime Comodo has promised to review validation work by its resellers before issuing certificates, rather than trusting the whole process to its resellers.

Responding to criticism from Mozilla that Comodo should not have allowed its RAs resellers to issue digital certificates directly from the root, a practice that invalidated possible countermeasures to the attack, Comodo said it was changing its business practices to move away from this model. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (12)
Highly Rated
Anonymous Coward

Excellent idea!

"Alden said Comodo was in the process of rolling out two-factor authentication products to its resellers..."

Hey, they could use some of those really secure dongle things made by RSA!!

Oh, hang on though....

4
0
Anonymous Coward
Anonymous Coward
Reply Icon

Not just their problem.

If you do that in, say, a large corporate rollout image and then force the update through, your helpdesk will be swamped by confuddled angrasperated lusers complaining that a whole raft of your business partners' b2b websites suddenly will pop up complaints about the certificate being untrusted. Any and all middle managers will just say you're failing to be a teamplayer because you're impeding business. No matter the fact that the problem is with comodo, it's you that made it visible and the fact that those certificates are worth less than the bits' storage costs won't ever matter in the middle manager's mind.

That's how bad CAs can continue to exist indefinitely. Though it does mean the PKI's trustworthiness will continue to be chewed up from within, paid for by all those people paying for certificates.

2
0
umacf24
Reply Icon

Still not good enough

"The only certificate-signer that you can trust in an absolute sense is the one you know personally who signs the certificate in front of you."

Still not good enough. You also have to believe that he will subsequently, and has until now managed to retain confidentiality of his private key. Otherwise his authentication using the certificate you agreed to trust becomes worthless.

PKI can be useful as a formal specification of some sorts of assurance, but it absolutely does not do what people use it for.

1
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17