WEB SECURITY OUTFIT Comodo has admitted that an affiliate registration authority (RA) was compromised leading to the issuance of fraudulent secure sockets layer (SSL) certificates.
Although Comodo's RA was compromised, the firm confirmed that its root keys and intermediate certification authorities were unaffected in the attack. Nevertheless, the compromised RA allowed several bogus SSL certificates to be issued, which have now been revoked.
While Comodo has revoked the SSL certificates, Microsoft has taken more direct action on this issue, releasing a patch that is a "mitigation update", as one of the fraudulent certificates could potentially affect Windows Live ID users when they try to login at login.live.com.
Comodo claims the breach at its RA was due to the attacker getting hold of a username and password of one of its Trusted Partners in southern Europe. Perhaps more worrying is that at this point Comodo says it is "not yet clear about the nature or the details of the breach suffered by that partner".
While Comodo doesn't have the details about how the account was compromised, it claims to have recorded the IP address of the computer used to initiate the attack. Comodo said that the IP has been traced back to an Internet service provider in Iran. However the firm took the responsible attitude of saying that while the IP addresses might be from an Iranian ISP it does not necessarily mean that Iranian nationals conducted the attack.
However, though Comodo tempered any suggestion that Iran might have been behind the attack, the firm added that the domains targeted "would be of greatest use to a government attempting surveillance of Internet use by dissident groups".
SSL certificates work on the premise that the issuing body is trusted. Firms such as Verisign, Thawte and Comodo promote themselves as sophisticated, secure operations that can be trusted to issue certificates. While Comodo deserves credit for admitting what happened, that part of its system used to issue SSL certificates was compromised by a third party getting access to a login and password will raise serious concerns for the firm and its customers.
All this goes to show that even SSL certificates are not foolproof for guaranteeing the security of communications on the Internet. µ
Sign up for INQbot – a weekly roundup of the best from the INQ