On March 15th 2011, a Comodo affiliate RA was compromised resulting in the fraudulent issue of 9 SSL certificates to sites in 7 domains. Comodo claims no root keys, intermediate CAs or secure hardware was compromised. The compromise occurred at an affiliate who is authorized to perform primary validation of certificate requests. The RA account in question has been suspended pending on-going forensic investigation.
The attack came from several IP addresses, but mainly from Iran.
| IP Address Location | |
| IP Address | 212.95.136.18 |
| City | Tehran |
| State or Region | Tehran |
| Country | Iran, Islamic Republic of |
| ISP | Pishgaman TOSE Ertebatat Tehran Network. |
| Latitude & Longitude | 35.696111 51.423056 |
The affected domains according to Comodo are:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com (3 certificates)
- login.skype.com
- addons.mozilla.org
- Global Trustee
Comodo has revoked these certificates and listed them in its revocation list. Microsoft also is releasing an update that will blacklist these certificates.
The attacker obtained username and password to log into the partners systems, and was able to issue the fraudulent certificates. According to Comodo, the breach was discovered quickly and they are pretty sure that the attacker only issued the now blacklisted certificates.
Was this a state-driven attack? Iran recently deployed DPI (Deep Packet Inspection), high-end network equipment that uses ultra-fast microchips to read and classify internet traffic in transit. The Iranian authorities used DPI to detect the highly specific parameters Tor uses to establish an encrypted connection. Since the Tor project developers have redesigned the software so that its traffic looks just like any other when it sets up an encrypted connection, and Iranian Tor users are now back to normal.
