back to article Claimed DigiNotar hacker: I have access to four more CAs

The digital miscreant known as ComodoHacker has claimed responsibility for the high-profile DigiNotar digital certificate authority hack. Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack. …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    Noob

    That "ComodoHacker" guy sucks. He did a simple SQLi to hack a comodo reseller and made it sound like he invented the wheel.

    And he probably didn't hack DigiNotar - he just claims credit for it.

  2. Ru
    Facepalm

    SSL cert problems first exposed by the Comodo hack?

    I'd say it goes back a bit further than that. The invention of 'Extended Validation' certificates, perhaps. And it isn't like it is particularly hard to pass the Webtrust audit...

    1. Anonymous Coward
      Anonymous Coward

      Quite

      As soon as EV certs were introduced the whole idea of SSL guaranteeing identity went out the window.

      It was basically an admission of "I know the spec said we are supposed to verify the identity of the cert requestor but that is too profit-wrecking and we balls'ed it all up...But with the new $$$ EV certificates we PROMISE to do a better job this time"

      Which is why I still hate the EARTH IS ENDING warnings you get in Firefox for a self-signed cert. In terms of guaranteeing identity I put them on the same level as a non-EV cert from any of the CAs

  3. David Perry 2
    Meh

    As a precaution

    Shouldn't all CAs be resetting their admin passwords?

    1. RRob
      Thumb Down

      Re: As a precaution

      >>Shouldn't all CAs be resetting their admin passwords?

      Why, did that stop the hacker last time?

  4. Anonymous Coward
    FAIL

    SSL Security ...or not

    This is not the first time something like this has happened, though this does seem to be a particularly high profile and destructive occurrence. Similar bogus certificates have been issued in the past, mostly through CA incompetence rather than hacking.

    My point is, as has been pointed out many many many times before by lots of people, many of whom know far more about this stuff than most of us, the SSL keychain/certificate system is BROKEN. It was broken from day one, and it's not until some REALLY high profile case comes to light (like a major bank being hit or something) that the world at large is going to wake up to this fact. Fundamentally, the "chain of trust" that SSL relies on can not be trusted. Simple as that.

  5. John Hughes
    FAIL

    Pr0d@dm1n == Prodadmin

    http://www.xkcd.com/936/

    So, now we know who ComodoHacker is.

    1. Busby
      Stop

      John Hughes

      Please stop publishing the password I now use for everything.

      That is all.

      1. Anonymous Coward
        Coat

        I thought you used " 1 2 3 4 5"...

        Yep, that's my coat.

  6. Anonymous Coward
    Anonymous Coward

    Its just the tip

    What this ( and similar recent issues) seems to show is that the security of companies who are making money on "security" is not up to snuff.

    DigiNotar's parent company did a very poor job of vetting the company they purchased and I would expect that to have a effect on their other products even if "Diginotar tech was not integrated" yet. They are responsible for the long delay between discovery and disclosure.

  7. joe.user
    Go

    No CA's auditing their networks for vulns?

    Hi Qualys, nice to meet you.

  8. Anonymous Coward
    Thumb Up

    The solution

    The real solution here is to drop all these CA whore companies and just use a single trusted government to issue certificates. I vote for the US - with all the top level certificates signed by the President himself.

  9. Rob Daglish
    Coffee/keyboard

    @the solution

    Seriously? Is that meant to be sarcasm?

    1. Nanki Poo

      @Seriously...

      I think the "...signed by the President himself..." probably clarified that. ;)

      nK

  10. JanMeijer

    Reality vs. paper

    As is pointed out in "Its just the tip", it is the real life security that is the issue here, and the way that organisations deal with security, and in particular PKI. PKI mechanisms offer paper security, the *real* security depends on the reality of the implementation. PKI as a system might have flaws that make it fragile, this doesn't mean you can't get it right. Trouble is, few people bother. Why would they? When you run a PKI, all the talk is about your vetting procedures, your private key protection, bla bla bla. Security audits are done according to security audit standard X, Y and Z. All nice and well. All secure. Until you look at the intricate little details of the actual system and application security. That's where the cracks are. I know a fair number of people who are good at finding these cracks, securing them properly and design a system such that chances for exploitation of issues is very small to begin with. These are unfortunately not the same people that are called in when systems get designed, or when systems get audited. That is where the paper people come in. Don't get me wrong, security policies have their place. But ultimately it is the reality that runs the show, paper people tend to forget that. Much like a builders code works wonders to prevent shoddy buildings, but only if the builders actually adhere to it.....

    Much talk about incentives in the CA world. I offer a much simpler answer. There's not that many people with brains wired for proper security, or proper PKI. Those people, unfortunately, often need to choose. PKI or real life security. Not that many that do both. Lack of understanding of different worlds does the rest....

    A bit of a rambling post perhaps, but there's lots of truth in what I write. Trust me ;)

  11. nyelvmark
    WTF?

    Pr0d@dm1n

    Not the securest of passwords perhaps. You shouldn't use 0 for o, @ for a, or 1 for i, but the combination of them with a non-obvious pair of words still looks pretty good against a brute-force attack to me. I'd be interested to hear a cryptographer's view. If that was really the password, I'd be looking for evidence of a social-engineering exploit.

    1. John Hughes

      See my earlier post.

      XKCD knows all

  12. Anonymous Coward
    Anonymous Coward

    The REAL solution

    Take Iran off the Internet; problem solved. They can't hack what they can't get too.

    1. webhead

      Why not Israel, Britain, US, or other state-sponsered agency?

      Iran - snoop on possible communicaitons between Iran citizens and anti-Iran groups.

      Israel - snoop on possible communications between Iran agents and anti-Israel groups. (for example: Hamas).

      US - snoop on possible communications between Iran agents and anti-US groups.

      etc

      I am not saying that Iran is innocent, but, they are not the only ones that can benefit from reading emails/traffic between points in Iran and the rest of the internet.

      Who knows.. maybe, its some 'blown egos' from that stuxnet malware.

This topic is closed for new posts.

Other stories you might like