Comodo RA Compromise
Finally Comodo spoke up to let us know more about the certificate issue we have been covering this morning with Firefox and Microsoft releasing "certificate black list" updates. [1]
Comodo states that none of the keys and signing/intermediate CAs were compromissed. Instead, systems at an affiliate were compromised to trick the affiliate into signing fraudulent certificates. The attacker obtained username and password to log into the partners systems, and was thus able to to issue the fraudulent certificates.
According to Comodo, the breach was discovered quickly and they are pretty sure that the attacker only issued the now blocklisted certificates.
[1] http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Didn't they use certificat-based login ? :)
Denis
Mar 23rd 2011
1 decade ago
Steven
Mar 23rd 2011
1 decade ago
But FF 3.6.16 shows zero (0) certs in its certificate blocking list, why is that?
Pevensey
Mar 23rd 2011
1 decade ago
Jz
Mar 24th 2011
1 decade ago
You seem to be suggesting that CA's should have a list of special domains that get special treatment. Maybe they should, but that becomes an extra feature of their systems that has to be managed and that means the CA needs more skilled humans managing it. Skilled humans are expensive, and Comodo competes on price.
Ultimately this is a demo of the intrinsic flaw in how the X.509 trust model is used in the real world of TLS/SSL. Users can look at the scores of trusted CA root certs in their browsers and operating systems and have no hope of competently selecting which ones are in fact worthy of their trust. The X.509 model assumes that the decision to trust certain signers is made correctly, when in effect it is barely made at all. Users trust their software providers completely, and the software providers generally shy away from expressing distrust or even skepticism of self-proclaimed CA's.
One can argue that this event proves Comodo unworthy of membership in the set of CA's whose root certs are widely trusted by default. However, such an argument would rest on the dubious axiom that membership in that club is carefully vetted and exclusive to CA's who have proven worthiness at some level above this breach. In fact, this case demonstrates that Comodo is capable of detecting and mitigating a specific sort of breach. I don't know that about the overwhelming majority of CA's that I "trust" operationally.
Bill Cole
Mar 24th 2011
1 decade ago
Jason
Mar 24th 2011
1 decade ago