Comodo has confirmed that two more registration authorities affiliated with the company also were compromised in a highly publicised SSL certificate fraud attack disclosed last week.
No more forged certificates were issued as a result of the latest compromises, Comodo said. It suspended the registration authority privileges of its two latest affected resellers.
Comodo chief technology officer Robin Aldren announced the new compromises on a Mozilla forum thread created after the initial attack.
“Two further [registration authority] accounts have since been compromised and had privileges withdrawn,” Alden wrote in the message, posted Tuesday. “No further misissued certificates have resulted from those compromises.”
Comodo, a US company that issues digital SSL certificates used by websites to validate their identity to visitors, revealed last week that an attacker had compromised one of its European resellers and issued nine fraudulent digital certificates for high-profile sites such as Google, Yahoo, Skype and Microsoft's Hotmail.
While Comodo said the sophistication of the intrusion indicated that it was state-sponsored, an Iranian hacker over the weekend took responsibility for the attack and claimed that he acted alone and was not part of any such political agenda.
The intruder, calling himself “Comodohacker,” has posted several lengthy documents on the text-sharing site Pastebin, offering up details about the incident. In the latest document, posted Tuesday, the hacker said it was a difficult infiltration that took time.
“From listed resellers of Comodo, I owned three of them,” the hacker wrote.
Although rogue certificates were revoked, it was serious enough to prompt Comodo to institute new controls and for the major web browsers – Mozilla's Firefox, Microsoft's Internet Explorer and Google's Chrome – to issue updates to their browsers last week.
In response to rampant concerns about the trustworthiness of its certificate generation system from customers, browser companies and others in the security community, Comodo's Alden said the company is in the process of rolling out hardware-based, two-factor authentication for its resellers to ward off attacks in the future.
But it could take weeks to complete and Comodo has promised to review reseller validation work prior to issuing certificates.
Mozilla criticised Comodo for allowing authorities to issue certificates from the root that the company maintains, a practice that eliminated attack mitigations. Comodo said it will stop this practice.
Brian Trzupek, vice president of managed identity and SSL at Trustwave, a rival SSL certificate authority, said that Comodo had a “track record” of trust issues dating back to at least 2008, when one of its resellers, CertStar, issued a SSL certificate for Mozilla.com without validation.
Moreover, Comodo's solution of implementing two-factor authentication, while an improvement, may not have prevented the initial attack, he said.
“The hacker that did this said he had a zero-day for Windows 2003,” Trzupek said, referencing a tweet from the supposed intruder. “A second factor wouldn't help that.”