By Detector | 25 March 2011

A major issuer of secure socket layer (SSL) certificates acknowledged last week on March 15th, 2011 that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack was originated from an IP address in Iran, and in its statement Comodo didn’t rule out political motives for the hack.

According to Comodo statement, attacker was able to obtain the user name and password of a Comodo Registration Authority (RA) based in Southern Europe and issues the fraudulent certificates using the stolen RA login information. The company said the hack did not extend to its root keys or intermediate certificate authorities, but did constitute a serious security incident that warranted attention.

The compromise was detected last week and was believed to have lasted only hours before being detected. Attackers were still using the account at the time it was discovered and the certificates in question were revoked immediately.

The Mozilla Foundation, Microsoft, Google and other firms rushed out patches to their Web browsers on Tuesday to block the fraudulent SSL certificates. In an incident report filed on March 15, Comodo said the nine certificates were issued to seven domains, but that no attacks using the certificates had been seen in the wild.

The breach raises serious questions about the system of checks and balances used to issue and monitor SSL certificates, which are the most common tool for attesting to the validity of a Web site and secure traffic to and from it. Comodo may be the poster child for the vulnerability of the certificate infrastructure, but the company is hardly alone.

“Just as RSA showed they can be compromised, Comodo shows that this is something that can happen with any Certificate Authority. In fact we have no idea that it hasn’t happened to others,” he said.

Tags | certificates, Comodo, google, Microsoft, Mozilla, Security, SSL