On March 15th 2011, a Comodo affiliate RA was compromised resulting in the fraudulent issue of 9 SSL certificates to sites in 7 domains. In fact, a malicious attacker from Iranian government managed to obtain supposedly secure digital certificates that can be used to impersonate Google, Yahoo, Skype, Microsoft Live.com , and other major Web sites. The attacker tested the certificate for “login.yahoo.com” In fact, for more than two months, the Basiji Cyber Army control the Yahoo Email in Iran, and it’s very dangerous to work with Yahoo Email in Iran. All Iranians inside Iran, should be aware of this important matter, if they did not know it before. All other famous and well-known anti-censorship and privacy tools are not safe, as well. Iranians should be very careful. But there are some good solutions for f-u-c-k-ing Mullahs!
Jacob Appelbaum, a Tor Project programmer, says : “On the evening of 16 March, I noticed a very interesting code change to Chromium. In this revision, the developers added X509Certificate::IsBlacklisted, which returns true if a HTTPS certificate has one of these particular serial numbers. These 9 digital certificate are revoked on March 15, 2011 … and finally we found that they are belonged to “COMODO High Assurance Secure Server CA” … In total, nine certificates were acquired. Seven were uniquely named. Two of the certificates were re-issued for a previously issued host name. One certificate was issued for “Global Trustee” rather than a valid host name (see below, for more information). With testing certificates in the list, we have a good accounting of the certificates found in the source code of each browser. Google clarified their discrepancy with the list, acknowledged the duplicate serial mistake and issued subsequent patches. Saving for test hosts, the lists are now identical … If I had to guess at sites, I’d speculate that Facebook, Skype, Google, Microsoft, Mozilla, and others are worthy of targeting. Comodo should disclose this information and clear up this speculation with very clear information about who was targeted … Comodo has not yet revealed the extent of the compromise to the public – were their signing keys in a hardware security module? How many certificates in total were ever issued by this specific signing key? … The Tor Project, which ships the Tor Browser Bundle was not notified !!” In fact, in Iran we have a lot of security problems when we work with the Internet. Iranians and non-Iranians should know that the digital certificate for “Global Trustee”, and other fake names, will be use as a “Root Key” for issuing dangerous Islamic “digital certificate”! You should be sure of the validity of all digital certificate, before using it, especially in Browsers.
Comodo response was very stupid and unacceptable . They say: “At no time were any Comodo root keys, intermediate CAs or secure hardware compromised” but how we can be sure !! They say: “An attacker obtained the username and password of a Comodo Trusted Partner in Southern Europe … The attacker used the username and password to login to the particular Comodo RA account and effect the fraudulent issue of the certificates.” The Comodo incident report says: “a RA suffered an attack that resulted in a breach of one user account of that specific RA. This RA account was then used fraudulently to issue 9 certificates … The attacker, used a RA account!, and was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him … The Iranian government has recently attacked other encrypted methods of communication !!!! … It’s not the first government to have done something like this. Late last year, the Tunisian government undertook an ambitious scheme to steal an entire country’s worth of Gmail, Yahoo, and Facebook passwords” They are so stupid and so passive.
Comodo has a very bad history. When Certstar got caught issuing a certificate for mozilla.com without doing valid checks
(http://it.slashdot.org/article.pl?sid=08/12/23/0046258) people started calling out Comodo because Certstar was a Comodo reseller and Comodo shouldn’t have let that happen. The story of “AddTrust AB” was interesting, a company that no longer exists as a company, but Comodo bought the certificates from them, and the rights to continue to use their root CA which bear the AddTrust name. The history is illustrative, basically the AddTrust company was acquired by ScandTrust (out of Malmö, Sweden), which was a Swedish CA, and then Comodo purchased the AddTrust root from ScandTrust. Then Comodo also purchased UserTrust, which had four roots and those also became part of Comodo when UserTrust became a “Comodo Group Company”. This is interesting because defunct companies, that had been sold, transferred their key material around to different parties !! In fact, we have more general issues and problems. The Browsers should give insecure CA keys an Internet Death Sentence rather than expose the users of the browsers to known problems. This should serve as a wake up call to the internet. We need to research, build, and share new methods for ensuring trust, identity, authenticity, and confidentiality on the internet. But now we have some advice for ourselves and other Iranians and non-Iranians: The key point is that: “Don’t use any famous software, tools, browser, or website”. Don’t use FireFox, IE and google Chrome. There are some better and more secure free browsers. If you want to make use of Gmail, or Yahoo email, you could find some non-typical interfaces for them. Try to use some free, less-known, and secure email service that support SSL. You could find them if you search a little. And don’t use the typical and classic “Tor project” in Iran, it is not safe and secure in Iran.