All the latest UK technology news, reviews and analysis
|
|
|
31 Mar 2011
The SSL security hacking attack revealed last week may have been worse than first thought, after Comodo said that two more associate companies were hit.
Comodo chief technical officer Robin Alden said in a posting on mozilla.dev.security.policy that two more of the company's associate sites had been hacked in similar attacks to the original.
In these cases no fake certificates were issued before the attacks were detected and shut down.
In the wake of the attacks Comodo is beefing up its security to deal with new threats against the SSL infrastructure, he said.
"We are implementing IP address restriction and hardware-based two-factor authentication," wrote Alden.
"The rollout of two-factor tokens is in progress but will take another couple of weeks to complete. Until that process is complete Comodo will review 100 per cent of all validation work before issuing any certificate."
The company originally blamed the attack on the Iranian government but someone claiming to be a private individual has said that he was responsible and has posted code in an attempt to prove it.
While the effects of the break-in have been limited owing to fast action by browser manufacturers and others, the case has raised serious questions about the state of security for SSL issuing bodies.
"What we are seeing here is a further example of a fundamental problem with SSL," Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation (EFF), told V3.co.uk. "There are just too many points of failure in the system."
Eckersley explained that research by the EFF had shown that there are 1,500 certification systems controlled by 650 different organisations. Trying to defend one organisation is hard enough, he said, but doing the same for 650 is a recipe for disaster.
The EFF is working on a browser plug-in that checks SSL certification of sites against a database run by the Tor Project. While not perfect, it would provide a real measure of protection against such attacks. The final code should be released this year.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Helpdesk / Desktop Support Analyst (Windows 7, MAC, Windows...
Infrastructure / Server Support Analyst - 3rd Line, Windows...
Credit Risk Modeller, SAS, London, £50,000 Title- Credit...
My London client is looking for an experienced Programme...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
You Just Can't Trust a Comodo Cert...Period
I am going to remove the comodo Root CA and any Intermediate Comodo CAs and place them in Non-Trusted CAs. It is clearly the only means of protection.
Posted by: Fred Dunn 31 Mar 2011