The investigation Comodo has mounted following the recent compromise of one of its Registration Authorities and the issuing of rogue certificates for popular sites has revealed that two additional RAs have been compromised but that no more bogus certificates had been issued.
According to Robin Alden, Comodo’s Chief Technical Office, those RAs had their privileges immediately withdrawn. He shared no further details about the initial compromise or these last two, but made sure to point out that their CA systems, their hardware security modules and private key material have not been compromised in any way.
The message posted by him on a discussion thread concerning the attack contains also an account of measures that Comodo is currently undertaking to prevent this kind of compromise in the future.
“We are rolling out improved authentication for all RA accounts. We are implementing both IP address restriction and hardware based two-factor authentication. The rollout of two-factor tokens is in progress but will take another couple of weeks to complete. Until that process is complete Comodo will review 100% of all RA validation work before issuing any certificate,” he explained.
He also mentioned that they have taken in consideration Mozilla’s advice that they stop issuing certificates to the RAs that request them directly from their own root.
“We understand Mozilla’s request that we move to having a separate sub_CA certificate per RA. Currently many of our end entity certificates are issued from RA-specific sub-CAs but some (like this incident) are not. As a short-term measure we will move towards issuing all certificates from sub-CAs,” he clarified. “Initially some of these will be Comodo-branded and there will not be a 1:1 match between RAs and sub-CAs, but we think this will give Mozilla the flexibility they seek in this regard. In the slightly longer term we will move to a sub-CA per RA.”
According to the latest message posted by the self-styled “Comodo Hacker”, the information about two more RAs being compromised is correct. “From listed resellers of Comodo, I owned 3 of them, not only Italian one, but I interested more in Italian brach because they had too many codes, works, domains, (globaltrust, cybertech, instantssl, etc.) so I thought they are more tied with Comodo,” he explains.
Whether he was actually behind the attacks or not is still being debated by the security community, but there is at least one researcher that believes the Comodo Hacker tells the truth: Robert Graham from Errata Security says he verified the private key of the forged certificates and that it is valid.