On Tuesday, Comodo CTO Robin Alden acknowledged that two other registration authorities -- the companies that vet requests for certificates -- had suffered compromises. Along with the original company, InstantSSL.it (part of GlobalTrust), the two registration authorities had their privileges suspended by Comodo, which has already worked with browser makers to revoke the certificates.
Along with the recent attack on security firm RSA, which warned earlier this month that its systems had also been breached and information stolen that could weaken SecurID, its widely used one-time-password technology, the Comodo scam highlights major problems with the underpinning of Internet security, says Anup Ghosh, founder and chief scientist for browser security firm Invincea.
"In the context of RSA and in the context of Comodo, what you are looking at are attacks against fundamental security infrastructure," Ghosh says. "What this attack illustrates is that the faith in that foundation has been shaken."
The attack calls into question the ability of certificate authorities to accurately check the identity of persons requesting a certificate. The Comodo hacker requested certificates for major domains, such as Microsoft's Live and Google's Gmail, almost guaranteeing that the requests would be noticed, says Paul Mutton, security researcher with network monitoring firm Netcraft.
"The attacker has gone after what looks like the weaker points of the security chain here," Mutton says. "It makes you wonder, if it wasn't a high-value target ... would it have been noticed? Are there already certificates out there that have been fraudulently obtained and haven't been detected?"
The hacker has published five posts on Pastebin regarding the attack, claiming to have breached a registration authority's security through an SQL injection attack. He then expanded his beachhead on the server by exploiting a privilege escalation flaw. The attacker offered the private key to the fraudulently obtained Mozilla certificate as proof of his claims. Several researchers have already confirmed that the private key is valid.
"It took me time, I hacked a lot of resellers, but I found out that most of the CAs verify customers in their own way," the attacker wrote. "After a lot of research and talking as a customer to CAs, I found out there is possible potential in Comodo, I saw resellers can't verify customers, but Comodo partners can."
To its credit, Comodo took immediate steps to revoke certificates. The company discovered that two other registration authorities (RAs) were also compromised.
"We are rolling out improved authentication for all RA accounts," Robin Alden, Comodo's chief technology officer, wrote in a post on Tuesday on mozilla.dev.security.policy. "We are implementing both IP address restriction and hardware-based two-factor authentication."
The company plans to manually verify all requested certificates until the new security measures are rolled out, according to Alden.
While the capability of the attacker to succeed in the attack is disturbing, the problems in revoking the certificates -- and showing that revocation to the user through effective user-interface design -- is, perhaps, more threatening. The Online Certificate Status Protocol (OCSP), which allows browsers to check the revocation status of a certificate in real time, fails nearly invisibly on Microsoft's Internet Explorer and without any significant warning on Mozilla's Firefox, according to Adam Langley, a security engineer at Google.
"If the attacker is close to the user (say, on a cafe's wireless network), then they can only attack a smaller number of users, but they can intercept traffic to the CA and thus defeat revocation," Langley wrote on his blog.
It's an assertion with which the ComodoHacker seems to agree.
"I reversed the protocol, re-wrote response, created a code which returned my fake OCSP response, so [that the] browser never thinks certificates are revoked," he wrote in an e-mail interview with DarkReading. "OCSP protocol is useless."
One solution to revocation is to stop doing it altogether, Langley says. Instead, companies could use certificates that are good for only a few days. Instead of revoking a bad certificate, companies would just have to stop renewing the certificate.
"Clients wouldn't have to perform revocation checks, which are very complex and slow, CAs wouldn't have to pay for massive, DDoS proof serving capacity, and revocation would actually work," Google's Langley writes.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.