Two additional registration authority accounts belonging to Comodo Security partners have been compromised since the initial SSL certificate attack.
Iranian hacker who managed to trick Comodo into issuing nine fraudulent
certificates appears to have compromised two more registration authority (RA) accounts,
raising questions about exactly what is going on at the certificate authority.
further RA accounts have since been compromised," wrote Robin Alden, CTO
of Comodo Security, on the mozilla.dev.security.policy mailing list on March
29. The partners have had their registration authority privileges withdrawn,
made the announcement in an e-mail addressing questions posed by the members of
the mailing list. "No further mis-issued certificates have resulted from
these compromises," Alden said.
(writing under the name Janam Fadaye Rahbar) claimed in a follow-up message
on Pastebin to have "owned
3 of them [Comodo partners]," and not just the Italian InstantSSL.it
partner that was mentioned earlier. Rahbar said InstantSSL.it had more code and
more domains, making it seem like "they are more tied with Comodo."
also published the private RSA encryption
key for Mozilla's add-ons domain, which corresponded to the publicly available
fake SSL certificate, said Paul
, a security researcher at British security firm Netcraft.
Comodo, the affiliate, or the hacker could have known this secret key,"
said Mutton. He warned that the publication of the key means there's a chance
of man-in-the-middle attacks against Mozilla Add-ons users. Users should be
protected if they were using the most updated version of the browser, he said.
number of security professionals on the mozilla.dev.security.policy were
clearly fed up with what they saw as an on-going trend of mistakes by the
certificate authority. "Comodo had several opportunities to show that they
are willing to change," Paul van Brouwershaven, CTO
of Networking4All, a Dutch hosting and security provider, wrote on the mailing
list and forwarded to eWEEK.
have showed over and over again that they are not willing to take the
responsibility that a CA should have," he said.
suggested that it was time for Mozilla, Microsoft and other companies to pull
Comodo from their browsers and force Comodo to do a "product recall."
Likening the incident to a potential safety problem with an automobile, van
Brouwershaven said Comodo should refund customers for all certificates issued.