The alleged hacker of Comodo stepped forward this weekend to explain how he generated bogus SSL certificates for login.skype.com, mail.google.com, login.live.com and other popular internet websites.
His story is that he was able to compromise Comodo’s partner GlobalTrust.it and InstantSSL.it. Both sites are currently “under construction.”
He brags how he decided to bring down the SSL root certificate system and began by attacking the RSA algorithm, but when he found the vulnerabilities in these websites he decided on that approach.
On that point I would have to agree with him, as hacking the RSA algorithm seems a significantly more difficult challenge, but the text of his “manifesto” is so full of bravado it is difficult to even read.
While he is Iranian, he claims no association with the “Iranian Cyber Army” and insists he is simply a hacker with a 1000 times the knowledge and experience as everyone else…
While investigating how he might compromise a Certificate Authority (CA) he stumbled upon InstantSSL.it and their use of a DLL on their site used to submit Certificate Signing Requests (CSRs) for immediate signing by the CA.
Upon disassembling this DLL, he discovered a plain text username and password used as part of the CSR submission process, allowing him to submit any CSR he wished to be signed by Comodo and instantly retrieve the signed certificate.
Initially it was unclear if this guy was for real, and of course it is still impossible to tell. He did post some of the source from TrustDLL.dll to pastebin, including the parts used for authentication that stored the unencrypted password.
Once again we come back to insecure passwords and password handling techniques. Fortunately the impact of this incident is quite small and may be a wake-up call for the certificate industry as a whole.
As Mozilla pointed out in a blog post, the practice of directly signing certificates with the root certificate, as Comodo had been doing, is really bad practice.
The one remaining mystery is this: If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world? His ramblings certainly show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government.