Comodo’s tag line is “creating trust online”. That may be true most of the time, but after an attack resulted in nine fraudulent SSL certificates–targeting domains like Google, Yahoo, Skype, and Windows Live–it might be wise to trust Comodo a little less.
A statement from Comodo explains that a root authority (RA) was breached. The attacker created a user account, and used the fraudulent account to issue nine rogue SSL certificates spanning seven different domains. The Comodo statement says, “The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the [requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.”
Comodo stresses that all nine certificates were revoked immediately upon discovery of the attack, and that it has not detected any attempts to use the certificates after they were revoked. Comodo believes the attack originated in Iran, and based on the target domains it may be a state-sponsored attempt to hack webmail accounts of political dissidents.
Oliver Lavery, Director of Security Research at nCircle, shared some thoughts about the attack. “What I find fascinating about this attack is the choice of domains because they aren’t useful unless you have control of the DNS infrastructure.” Lavery goes on to explain that a country–like Iran–does have control of the DNS infrastructure within its boundaries to an extent, and speculate that this attack could have been executed with the intent to intercept encrypted Internet communications.
The login.live.com domain used for logging in to Windows Live accounts was one of the domains compromised by the rogue Comodo certificates. Microsoft has issued a security advisory, and released a mitigation update to update the certificate revocation list on Windows PCs and prevent them from accepting the fake SSL certificates as legitimate.
In the wake of the hack against the RSA network which breached sensitive information related to the SecurID tokens used by millions to provide two-factor authentication and prevent unauthorized access, the compromise of Comodo SSL certificates is concerning. We all know that attackers are out there, and we realize we must take steps to protect our PCs and our data. But, if two of the most trusted names in providing that security get compromised in the same week, it leaves you feeling a little hopeless and outgunned.
nCircle’s Director of Security Operations, Andrew Storms, added, “There will be a lot of critical people watching to see how Comodo responds as this incident unfolds. The security community in particular will demand a lot of transparency in order to rebuild their trust in Comodo.”