Comodo attacker hints at more CA hacks

The hacker allegedly responsible for stealing digital certificates from Comodo has said that further Certificate Authorities (CAs) may have been hacked.

The hacker allegedly responsible for stealing digital certificates from Comodo has said that further Certificate Authorities (CAs) may have been hacked.


(Complete image by Timypenburg, CC BY-SA 2.0)

In an email interview, the hacker going by the name "Sun Ich" said "maybe there is more CAs involved" but would not elaborate, saying only that it is the decision of affected authorities to come forward. There are hundreds of CAs around the world, responsible for authorising digital certificates that determine which websites browsers can trust. CAs use registration authorities to administer certificates.

The alleged lone Iranian hacker made headlines after he broke into one of Comodo's registration authorities (RA) InstantSSL.it and obtained nine fraudulent digital certificates for the likes of Google Mail, Microsoft Live, Mozilla and Skype. He posted the private key to the Mozilla certificate as proof of the attacks.

Sun Ich claimed responsibility for hacking the two additional RAs (linked to Comodo, but neither the hacker nor Comodo will name the affected authorities).

Comodo admitted to the twin breaches on a Mozilla post, but said digital certificates were not compromised in the attack. The company's chief technology officer Robin Alden said the company has suspended privileges to the compromised RAs and is "implementing both IP address restriction and hardware-based two-factor authentication" for all authorities.

Sun Ich said the attack on Instantssl.it took about 25 days. "In about 10 days, I found out that Comodo gave special permissions to partners, [while] others don't. I got a list of partners, attacked them, owned three of them in about four days [and] executed attack via largest partner I owned — instantssl.it."

The attacks have raised old questions about the integrity of the certificate trust model, notably the ability of browsers to revoke compromised certificates.

Revocation, where compromised certificates are scratched ahead of their expiry, is critical because the lists of CAs that are trusted by browsers are by default trusted by billions of users.

And there are further problems caused by the different methods browsers use to decide which CAs to trust.

Google engineer Adam Langley heaps blame in a blog in part on the Online Certificate Status Protocol certificate revocation model, which can be fairly easily exploited. He proposed that certificates have a shorter expiration date — days instead of years.

Sun Ich said many CAs are vulnerable. "Fixing this stuff isn't easy. You can't go and review each partner or you can't review all CAs … digital security never was 100 per cent."

He maintained he hacks independently, stating that even his "closest friends" don't know about the attack on Comodo. He said he started learning the basics of cryptography at 13, seven years ago, and later began learning about cryptanalysis after analysing a home-made hashing algorithm.