Last week’s revelation that a Comodo affiliate Registration Authority has been compromised and that nine rogue SSL certificates have been issued for popular domains such as Gmail, Google Search, Yahoo, Skype and Mozilla Add-ons, has reverberated across the Internet.
Questions have been raised on whether the entire online certificate system is deeply flawed and speculations about the source of the attack have been voiced. According to Comodo, details of the attack seem to point to a state-sponsored effort.
“The attack came from several IP addresses, but mainly from Iran. The attacker was well prepared and knew in advance what he was to try to achieve,” Comodo explained. “It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups.”
Also, the fact that the perpetrator has focused on the communication infrastructure and can only make use of the certificates if it has control of the DNS infrastructure makes Comodo’s researchers believe it was likely a state-driven attack.
But on Saturday, a message posted by the alleged “Comodo Hacker” on Pastebin.com has added more fuel to the speculations. By his own admission, the hacker is Iranian, but claims not to be a member of the Iranian Cyber Army.
He says he is “a single hacker with experience of 1000 hackers”, saying that Comodo’s researchers are wrong in their assumption that a team of hackers was behind the incident.
He says that he first tried to bring down the SSL root certificate system by attacking the RSA algorithm, but after that approached proved too difficult, he decided to use the vulnerabilities in InstantSSL.it – Comodo’s parner’s website – to access the RA’s servers and generate the Certificate Signing Requests submitted to the CA.
Some security researchers believe his claims, and some do not. To prove his claims, the hacker also published part of the decompiled TrustDLL of Comodo’s partner that stored the unencrypted password that gave him access.
Still, as Sophos’ Chester Wisniewski notes, “If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world?”