Two to a greater extent than Comodo registration authority accounts compromised !
Certification company’s humiliation drags on equally hacker scalps 2 to a greater extent than Comodo registration ascendency accounts
The Iranian hacker that managed to fox Comodo into issuing nine fraudulent certificates appears to receive got compromised 2 to a greater extent than registration ascendency accounts, raising questions of what precisely is going on at the certificate authority.
“Two farther RA accounts receive got since been compromised,” wrote Robin Alden, CTO of Comodo Security, on the mozilla-dev-security-policy mailing list. The partners receive got had their registration ascendency privileges withdrawn, Alden said.
Comodo Retrofitting Broken Padlocks
Alden made the annunciation inward an e-mail addressing questions posed past times the members of the mailing list. “No farther mis-issued certificates receive got resulted from these compromises,” Alden said.
The self-identified Comodo hacker (writing nether the call Janam Fadaye Rahbar) claimed inward a follow-up message on Pastebin to receive got “owned 3 of them [Comodo partners],” as well as non merely the Italian InstantSSL.it partner that was mentioned earlier. Rahbar said InstantSSL.it had to a greater extent than code as well as to a greater extent than domains, making it seem similar “they are to a greater extent than tied amongst Comodo”.
Rahbar besides published the someone RSA encryption fundamental for Mozilla’s addons domain, which corresponded to the publicly available faux SSL certificate, said Paul Mutton, a security researcher at British security theatre Netcraft.
“Only Comodo, the affiliate, or the hacker could receive got known this cloak-and-dagger key,” said Mutton. He warned that the publication of the fundamental agency at that spot is a run a hazard of man-in-the-middle attacks against Mozilla Add-ons users. Users should live on protected if they were using the near updated version of the browser, he said.
H5N1 number of security professionals on the mozilla-dev-security-policy were clearly fed upwards amongst what they saw equally an on-going tendency of mistakes past times the certificate authority. “Comodo had several opportunities to demo that they are willing to change,” Paul van Brouwershaven, CTO of Networking4All, a Dutch hosting as well as security provider, wrote on the mailing listing as well as forwarded to eWEEK. “They receive got showed over as well as over i time again that they are non willing to receive got the responsibleness that a CA should have,” he said.
He said it was fourth dimension for Mozilla, Microsoft as well as other companies to describe Comodo from their browsers as well as strength Comodo to produce a production recall. Likening the incident to a potential security work amongst a car, van Brouwershaven said Comodo should refund customers for all certificates issued
Despite claims past times Comodo CEO Melih Abdulhayohlu that Comodo strictly checks as well as verifies applicants are who they claim to be, Alden’s e-mail hinted that was non e'er the case. At the fourth dimension of the Comodo hack on March 15, nine percentage of Comodo partners could house SSL certificate orders using their ain domain command processes instead of Comodo’s, Alden wrote. Comodo’s procedure consists of sending as well as confirming the receipt of an e-mail to an address on the domain to live on validated or to the address listed on the domain’s WHOIS entry.
Alden said the compromised partner was allowed to implement a split procedure because the RA “did a expert project of validating domain control”, had a “good as well as unopen relationship” amongst a pocket-size number of customers, as well as “spoke the same language” equally those customers. Comodo had given the partner leeway because it had non considered that attackers mightiness compromise the partner, Alden said.
Comodo at i time requires all “100 percent” of registration government to role the Comodo-driven procedure or receive got Comodo guide keep the validation, Alden said. Abdulhayoglu latterly told eWEEK that Comodo requires applicants to verify their identity as well as domain ownership, such equally past times submitting a notarised letter.
“In the representative of Comodo they receive got plenty incidents to assay they are non able to run a proper CA as well as choose the whole meshing community inward danger,” said van Brouwershaven. Comodo reportedly issued bad certificates for Mozilla dorsum inward 2008, according to Paul C Bryan, besides on the list.
Does Three Strikes Mean Out?
The number boils downwards to a affair of trust. Abdulhayoglu had ofttimes railed against other certificate government for “weakening the padlock, [SSL certificate on the browser]” because they produce non perform whatever validations as well as merely rubber-stamp applications. For van Brouwershaven as well as others, the trust issues lay straight at Comodo’s feet.
“Who volition trust the CA model inward full general if nosotros produce non describe the source from all the browsers from a CA that is clearly non able to produce the job?” van Brouwershaven wrote, noting that the whole model depended on beingness able to take work roots.
Bryan noted at that spot was no incentive for browsers to act, since pulling the source ascendency would potentially breaking “thousands of so-called secure spider web sites.” Such a movement would live on peculiarly “unattractive to browser vendors, who receive got consistently avoided adversely affecting the sense of their users,” Bryan wrote.
For that sort of a boycott to happen, a consortium of browser vendors would receive got to function together collectively to brand such decisions, Bryan said.
News Source : http://www.eweekeurope.co.uk
Certification company’s humiliation drags on equally hacker scalps 2 to a greater extent than Comodo registration ascendency accounts
The Iranian hacker that managed to fox Comodo into issuing nine fraudulent certificates appears to receive got compromised 2 to a greater extent than registration ascendency accounts, raising questions of what precisely is going on at the certificate authority.
“Two farther RA accounts receive got since been compromised,” wrote Robin Alden, CTO of Comodo Security, on the mozilla-dev-security-policy mailing list. The partners receive got had their registration ascendency privileges withdrawn, Alden said.
Comodo Retrofitting Broken Padlocks
Alden made the annunciation inward an e-mail addressing questions posed past times the members of the mailing list. “No farther mis-issued certificates receive got resulted from these compromises,” Alden said.
The self-identified Comodo hacker (writing nether the call Janam Fadaye Rahbar) claimed inward a follow-up message on Pastebin to receive got “owned 3 of them [Comodo partners],” as well as non merely the Italian InstantSSL.it partner that was mentioned earlier. Rahbar said InstantSSL.it had to a greater extent than code as well as to a greater extent than domains, making it seem similar “they are to a greater extent than tied amongst Comodo”.
Rahbar besides published the someone RSA encryption fundamental for Mozilla’s addons domain, which corresponded to the publicly available faux SSL certificate, said Paul Mutton, a security researcher at British security theatre Netcraft.
“Only Comodo, the affiliate, or the hacker could receive got known this cloak-and-dagger key,” said Mutton. He warned that the publication of the fundamental agency at that spot is a run a hazard of man-in-the-middle attacks against Mozilla Add-ons users. Users should live on protected if they were using the near updated version of the browser, he said.
H5N1 number of security professionals on the mozilla-dev-security-policy were clearly fed upwards amongst what they saw equally an on-going tendency of mistakes past times the certificate authority. “Comodo had several opportunities to demo that they are willing to change,” Paul van Brouwershaven, CTO of Networking4All, a Dutch hosting as well as security provider, wrote on the mailing listing as well as forwarded to eWEEK. “They receive got showed over as well as over i time again that they are non willing to receive got the responsibleness that a CA should have,” he said.
He said it was fourth dimension for Mozilla, Microsoft as well as other companies to describe Comodo from their browsers as well as strength Comodo to produce a production recall. Likening the incident to a potential security work amongst a car, van Brouwershaven said Comodo should refund customers for all certificates issued
Despite claims past times Comodo CEO Melih Abdulhayohlu that Comodo strictly checks as well as verifies applicants are who they claim to be, Alden’s e-mail hinted that was non e'er the case. At the fourth dimension of the Comodo hack on March 15, nine percentage of Comodo partners could house SSL certificate orders using their ain domain command processes instead of Comodo’s, Alden wrote. Comodo’s procedure consists of sending as well as confirming the receipt of an e-mail to an address on the domain to live on validated or to the address listed on the domain’s WHOIS entry.
Alden said the compromised partner was allowed to implement a split procedure because the RA “did a expert project of validating domain control”, had a “good as well as unopen relationship” amongst a pocket-size number of customers, as well as “spoke the same language” equally those customers. Comodo had given the partner leeway because it had non considered that attackers mightiness compromise the partner, Alden said.
Comodo at i time requires all “100 percent” of registration government to role the Comodo-driven procedure or receive got Comodo guide keep the validation, Alden said. Abdulhayoglu latterly told eWEEK that Comodo requires applicants to verify their identity as well as domain ownership, such equally past times submitting a notarised letter.
“In the representative of Comodo they receive got plenty incidents to assay they are non able to run a proper CA as well as choose the whole meshing community inward danger,” said van Brouwershaven. Comodo reportedly issued bad certificates for Mozilla dorsum inward 2008, according to Paul C Bryan, besides on the list.
Does Three Strikes Mean Out?
The number boils downwards to a affair of trust. Abdulhayoglu had ofttimes railed against other certificate government for “weakening the padlock, [SSL certificate on the browser]” because they produce non perform whatever validations as well as merely rubber-stamp applications. For van Brouwershaven as well as others, the trust issues lay straight at Comodo’s feet.
“Who volition trust the CA model inward full general if nosotros produce non describe the source from all the browsers from a CA that is clearly non able to produce the job?” van Brouwershaven wrote, noting that the whole model depended on beingness able to take work roots.
Bryan noted at that spot was no incentive for browsers to act, since pulling the source ascendency would potentially breaking “thousands of so-called secure spider web sites.” Such a movement would live on peculiarly “unattractive to browser vendors, who receive got consistently avoided adversely affecting the sense of their users,” Bryan wrote.
For that sort of a boycott to happen, a consortium of browser vendors would receive got to function together collectively to brand such decisions, Bryan said.
News Source : http://www.eweekeurope.co.uk
Share This :
comment 0 Comments
more_vert