20110315: Comodo issues 9 fraudulent certificates after a hacking
Comodo has been deluded to issue 9 certificates for well-known websites ((google, yahoo, skype...) on March 15, 2011.
The attacker actually used the login and password of one of Comodo Registration Authority (RA°. To this day we do not know how he got those access (theft? hacking ?) but it is not a brut force attack.
Certificates have been quickly discovered and revoked by Comodo but, regarding the risk level, Comodo has contacted browsers editors in order for them to integrate a certificates blacklist. It has been done on March 23rd.
Comodo then released the information publicly by publishing those 2 articles:
- http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
- http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
It should have never happened! It happened because the authentication used (to connect to Comodo interface) was weak, based on a login/password system.
If you are managing users, you know it: they store their password anuhow, they use words easy to figure out or worst they use the same password anywhere.
It should lead to a reflexion on the weak authentication access: imagine what an evil-minded personn could do in your systems with a stolen password!
Here at TBS INTERNET, we are concerned: most of our customers choose weak authentication (username/password). Even though they can choose between weak or strong authentication! We will soon introduced new measures to limit the risks.
Comodo took actions too: weak authentication is going to be removed and a cryptographic token holding a certificate will be distributed to RA. Moreover, a DCV challenge will be added in the certificate deliverance process.
Results
- Comodo infrastructure has never been compromised. Comodo's roots are safe and remains functional.
- Comodo currently deploys strong authentication by certificate for its Registration Authorities
- A DCV challenge is being deployed for all certificates (except for EV ones)