Comodo came clean on Wednesday, admitting that an RA (Registration Authority) in southern Europe had been compromised. This led to the generation of nine rogue SSL certificates on seven domains. The press was all over statements from Comodo’s CEO, who pitched the incident as a state-sponsored attack by Iran. But is that the real issue?
On March 15, one of Comodo’s RAs was compromised. The attacker obtained the username and password associated with the southern European RA and used it to generate a new user account. According to Comodo, other online accounts used by this RA were compromised as well. It is unknown how the attacker obtained the account credentials in the first place.
Once the new user account had been created, the attacker generated nine SSL certificates across seven domains. The domains with rogue certificates created for them were: login.live.com; mail.google.com; login.yahoo.com (three certificates); login.skype.com; addons.mozilla.org, and Global Trustee.
IP logs revealed that the attack originated from an Iranian ISP, in addition to other locations. In its report regarding the incident, Comodo said it looked as if the attacker knew what they wanted ahead of time, as they were “able quickly to generate the CSRs for these certificates and submit the orders to our system.”
The origin of the attacking IP address has led Comodo to speculate that this was a state-sponsored attack on the RA. Some experts agree, given the nature of the rogue certificates and previous actions by the Iranian government. Yet, in covering its bases, Comodo believes the evidence to be circumstantial and that there is no proof Iran is responsible.
Once the attack was detected, Comodo revoked the rogue certificates. In addition, it explained that the compromise “was promptly reported to the owners of the domains affected and the major browser providers and to the relevant government authorities.”
Once the RA compromise was disclosed to the public, security experts offered a wide range of thoughts and opinions on the matter.
For example, Jacob Appelbaum, who first discovered the compromise, called Comodo out for: selective disclosure; failure to name the RA compromised; waiting eight days to make the issue public, and for assuming one would need to control DNS for the rogue certificates to be of any value.
Other experts knocked Comodo’s CEO, Melih Abdulhayoglu, for his September 11 comparison given to Wired (story linked here), and for playing the victim when his company allows RAs to issue certificates for any domain they want.
By allowing other partners to issue certificates in its name, Comodo placed a spotlight on transitive trust, something critics have said is a major issue when it comes to PKI and digital signatures.
Mike Wood at Sophos has covered this point in his blog post, but it is worth repeating. Comodo (which is a Certificate Authority or CA) trusted that the RA would scrutinize requested certificates, such as checking for things like an obvious fraudulent request. In addition, Comodo was trusting them to protect their power to issue certificates. Because transitive trust is passed down the certificate chain, if any single link is compromised, the entire chain becomes broken.
Since Comodo’s RAs are allowed to issue certificates at will, the general opinion is that this has happened before, only no one was aware of it. Moreover, there is a feeling that it will happen again, and the Internet might not be as lucky in catching the rogue certificates as quickly.
Comodo has faced public concerns over its certificate issuing processes before. In 2009, researcher Eddy Nigg produced a valid certificate for mozilla.com, commenting at the time that there was “no validation step, not even a hint of it...”
That same year, the Comodo faced additional heat when it was discovered that criminals were taking advantage of its free 90-day trial of legitimate SSL certificates, a process it continues to this day.
Microsoft, Mozilla, and Google has each issued browser updates to deal with the RA compromise. They too are taking heat, mostly over certificate methodology and the delayed response with patches.
“The browsers who have failed to replace the-CA-or-nothing-model should shoulder a lot of pain for letting a CA fail this hard,” Appelbaum commented on Twitter. “That browsers allow CAs to delegate to resellers is a really big problem.”
Apple has issued no statements regarding the incident, nor has it publically released any reactionary patches. Meanwhile, Opera has said it may block the rogue certificates, but because its browsing software uses OCSP (Online Certificate Status Protocol), users would be instantly warned of a broken or malicious certificate, assuming they're not ignoring warnings delivered by the browser. Android users can use mobile Firefox; otherwise there is no fix for that platform unless one is shipped by the carrier.
Another issue that has been raised in the aftermath of the compromise is the revoking of rogue certificates. Some say this is not the answer. For those interested, a helpful report from ImperialViolet better explains that point of view.
Other problems mentioned within the security community’s discussions of the RA incident include the fact that too many entities have CA powers.
“Some of these are trusted directly by browsers, and others inherit their authority. We don't even know who many of them are, because such delegation of authority - either via "subordinate certificates" or via "reseller authorities" - is not publicly disclosed. The more of these entities exist, the more vulnerabilities exist,” commented Steve Schultze of Freedom to Tinker.
Adding to the conversation, the EFF commented on the problem of DNSSEC as a solution.
“Many people have been touting DNSSEC PKI as a solution to the problem. While DNSSEC could be an improvement, we do not believe it is the right solution to the TLS security problem,” a Deep Links blog post explains.
“One reason is that the DNS hierarchy is not trustworthy. Countries like the UAE and Tunisia control certificate authorities, and have a history of compromising their citizens' computer security,” it added. “But these countries also control top-level DNS domains, and could control the DNSSEC entries for those ccTLDs. And the emergence of DNS manipulation by the US government also raises many concerns about whether DNSSEC will be reliable in the future.”
The immediate action items are clear, according to Sophos’ Wood, who explained that users “need to make sure they are using up-to-date certificate revocation data and browser settings. He added that long term solutions to the problem aren’t so clear, “In no way is this an easy problem to solve.”
“While the detection of these fraudulent certificates was quick and published remediation swift, this fast response may well have been a fluke… Hopefully this causes the industry players to audit not only their own security systems and policies, but those of their trusted partners as well.”