Iran accused of hack attack to steal fake Comodo SSL certificates

The major browser developers have released patches to deal with SSL certificates which were stolen from certificate authority Comodo earlier this month.

Firefox, Chrome and Internet Explorer have all been patched to deal with the fake certificates and other manufacturers are following suit.

The incident began on 15 March with a hacking attack on a southern European partner of Comodo.

Nine fake SSL certificates were requested for sites, including Google, Microsoft Skype and Yahoo, and at least one was issued before the attack was detected and terminated. Comodo immediately revoked the certificates and informed the necessary parties.

The resultant activity was picked up by the Tor Project, which noticed Google's Chromium engine making changes to block the SSL certificates, followed by a full Chrome update a day later. Tor agreed to embargo the news until patches had been issued.

Comodo's chief executive Melih Abdulhayoglu told V3.co.uk that he believed the attack came from the Iranian government.

"Our security was good in that we picked up the attack and shut it down quickly, but we should have covered this threat model," he said. "We didn't, however, model for attack from a foreign government."

Abdulhayoglu identified three clues to the attacker's origin. Firstly the choice of targets was not financial companies but core internet infrastructure sites.

Secondly, in order for the certificates to be of any use, access to the domain name system infrastructure would have been required.

Finally, the attack itself did not bear the hallmarks of criminal attacks the company had experiencee with in the past. It was very well orchestrated and "too clean", according to Abdulhayoglu.

"You can't be 100 per cent certain," he said. "But if it looks like a duck, and quacks like a duck, then it probably is a duck."