The FBI is investigating how a hacker tricked a New Jersey company into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other major Web sites, the firm's chief executive said today.
Comodo CEO Melih Abdulhayoglu told CNET this afternoon that "it is an ongoing investigation" that has drawn in both the FBI and Italian law enforcement.
Abdulhayoglu confirmed that a reseller in Italy called GlobalTrust had its network compromised by a hacker traced to Iran. That person, or multiple people, obtained fake digital certificates for nine Web sites that also included Skype and Mozilla. Those certificates, which have since been revoked, allowed someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled.
"We're letting the government agencies handle the issue and figure out what exactly has happened here," Abdulhayoglu said.
The FBI did not immediately respond to a request for comment.
An unknown person using the alias "ComodoHacker" and "ichsunx" has posted proof, in the form of an encryption key, that he (or she, or they) were responsible for the intrusions or in contact with whoever was. ComodoHacker claims to be a pro-regime cryptanalyst in Iran, arguing that the country should be free to pursue its "nuclear program, as it's simple right [sic] of each nation."
Comodo's revelation last week highlights the flaws in the current method of trusting certificate authorities.
At the moment, there is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance; Tunisia even has its own certificate-issuing government agency trusted by Internet Explorer.
CNET reporter Elinor Mills contributed to this report.