Comodo: Web attack broader than initially thought

A week after Comodo revealed that one of its registration authorities was compromised and digital certificates were stolen, it discloses that another reseller was compromised.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

An attack in which someone fraudulently obtained digital certificates for some major Web sites--which could have been used to impersonate those sites--was broader than originally reported, according to Comodo, a Jersey City, N.J.-based firm that issues the certificates.

Another Registration Authority, or RA, that resells digital certificates for Comodo was compromised, in addition to the original RA breached a week ago, Comodo founder Melih Abdulhayohlu told CNET today. He would not name the company but said it was located in Europe and was attacked over the weekend.

A Web server at the unnamed reseller was somehow compromised and the intruder tried to exploit the breach to request a digital certificate for one of the high-profile Web sites that were targeted a week ago, which included Google, Yahoo, Skype, and Microsoft, but the request was denied and alarm bells were triggered, Abdulhayohlu said.

Comodo Chief Technology Officer Robin Alden said yesterday there were two additional RAs compromised since the first incident. But Abdulhayohlu said that turned out not to be the case and that one of the RAs had a software bug in its system and had not been breached.

"We are rolling out improved authentication for all RA accounts. We are implementing both IP address restriction and hardware based two-factor authentication," Alden wrote in a post on a Mozilla Developer security policy Google Groups thread. "The roll-out of two-factor tokens is in progress but will take another couple of weeks to complete. Until that process is complete, Comodo will review 100 percent of all RA validation work before issuing any certificate."

Comodo revealed on March 23 that nine digital certificates for a group of Web sites were fraudulently obtained and later revoked when the breach was discovered. A fraudulent certificate would allow someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled--in some circumstances. That RA was "thoroughly compromised" and its account deactivated, Alden said.

Abdulhayohlu told CNET yesterday that the FBI was investigating. He also confirmed that a reseller in Italy called GlobalTrust had been compromised.

Comodo representatives blamed the attack on the government of Iran because IP addresses used in the attack were traced back to Tehran. Since then, someone using the aliases "ComodoHacker" and "ichsunx" has stepped forward claiming responsibility and publicly posting the private encryption key for Mozilla's add-ons domain. The hacker claims to be a 21-year-old cryptography expert and unaffiliated with the government of Iran, although stridently nationalistic.

In a post on Pastebin yesterday, the ComodoHacker says he hacked "a lot of resellers" and "owned" (had control of) three of Comodo's resellers. "I even installed a keylogger on their server and I was monitoring administrators who logged in," he wrote.

Asked to comment on those claims, Abdulhayohlu insisted that only two RAs were compromised and only one of the breaches led to fraudulent certificates being issued. He said he believes that ComodoHacker is somehow involved in the attack but has doubts about other claims.

Meanwhile, ComodoHacker told Bob McMillan at IDG News Service that he had compromised another certificate authority (CA) other than Comodo, but declined to elaborate.

Abdulhayohlu told CNET he did not know anything about another CA getting breached. "We had informed all the other CAs privately and told them that they should expect an attack," he said. "So, I'm hoping that they had protected themselves."

The revelations highlight fundamental problems of integrity with the system for approval of digital certificates that underpin transactions and trust on the Internet. At the moment, there is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. And there are no mechanisms to prevent fraudulent certificates from being issued by compromised companies, or repressive regimes bent on surveillance.

CNET's Declan McCullagh contributed to this report.

Updated at 3:28 p.m. PT with Comodo CEO comments on one new RA being compromised and report of new certificate authority being attacked.