14 DAY TRIAL // Comodo has determined that accounts of two more Registration Authorities (RAs) were compromised following the recent incident where a hacker managed to obtain rogue digital certificates for high-profile domains, including Google, Yahoo, Hotmail and Mozilla.
The security of the entire public key infrastructure (PKI), which relies on SSL certificates issued by Certification Authorities (CAs) to establish trust between clients and websites is currently put under the microscope.
The hacker behind this attack compromised a Comodo reseller (Registration Authority) in Italy and used its credentials to request the rogue certificates, which were then issued by Comodo without thorough verification.
"Two further RA accounts have since been compromised and had RA privileges withdrawn. No further mis-issued certificates have resulted from those compromises," announced Comodo's CTO Robin Alden on a discussion group set up by Mozilla.
Alden also admitted the company was unprepared for attack scenarios based on full RA compromise, but it is working on implementing some measures that would address that in the future.
For one, all RA-issued certificate requests for high-value domains matching a list maintained by Comodo will require a review by the company.
Furthermore, the company is rolling out IP-based restrictions and two-factor authentication for all RAs, but this is expected to take a couple of weeks.
"As of shortly after this incident, all (100%) of our RAs must either use this (Comodo-driven) DCV process - or otherwise have their validation checked by Comodo. This applies to all orders placed," Alden added.
The company is also considering Mozilla's request to sign certificates as a sub-CA for each RA, which would make it possible for browser developers to blacklist entire RAs instead of particular certificates.
The discussion about the future of web trust and security is ongoing and Mozilla has issued a call for research papers on the subject so that all suggestions are taken into consideration.