The hack that resulted in Comodo creating certificates for popular e-mail providers including Google Gmail, Yahoo Mail, and Microsoft Hotmail has been claimed as the work of an independent Iranian patriot. A post made to data sharing site pastebin.com by a person going by the handle “comodohacker” claimed responsibility for the hack and described details of the attack. A second post provided source code apparently reverse-engineered as one of the parts of the attack.
Whether the postings are authentic and accurate is, at present at least, a matter of conjecture. The post specifies a number of details that appear authentic. The writer fingers Italian Registration Authority GlobalTrust.it/InstantSSL.it (the same company operating under multiple names) as the weak link. A Registration Authority (RA) is essentially a local reseller for a Certification Authority (CA); in principle, the RA performs the validation of identity that would be too difficult or expensive for the root CA to do, and then sends a request to the root CA to generate an appropriate certificate. Comodo’s systems trust that the RA has done its job appropriately, and issues the certificate. This is consistent with Comodo’s statement that it was a Southern European company that was compromised.
In addition to blaming a specific RA, the post includes other details: the username (“gtadmin”) and password (“globaltrust,” proving once again that security companies can pick really bad passwords) used by the RA to submit requests to Comodo’s system, the e-mail address of InstantSSL’s CEO (“[email protected]”), and the names of the databases used by GlobalTrust’s website. In practice, though, only Comodo can verify this information, and the company has no good reason to do so.
The alleged hacker also described some details of the hack itself. He claims to have broken into GlobalTrust’s server and found a DLL, TrustDLL.dll, used by that server to send the requests to Comodo and retrieve the generated certificates. The DLL was written in C#, so decompiling it to produce relatively clear C# was easy; within the DLL the hacker found hard-coded usernames and passwords corresponding to GlobalTrust’s account on Comodo’s system, and another account for the system of another CA, GeoTrust. The source code the hacker posted was part of this DLL, and certainly has the right form for decompiled source code. Again, though, only GlobalTrust could provide absolute confirmation of its authenticity.