As the fallout from the Comodo security breach continues to widen, it has now been reported by Comodo that two more registration authorities (RA) have since been compromised, and consequently their RA privileges withdrawn, however no fraudulent certificates have been issued.
Robin Alden, CTO for Comodo, revealed details of the further breaches while responding to questions on mozilla.dev.security.policy. In the same reply he also pointed out that Comodo’s “CA systems have not been compromised” and also that Comodo’s “HSMs and key material have not been compromised.”
The Comodo hacker himself is also being more talkative. He has given Errata Security the private key he used to fraudulently issue SSL certificates for existing domains like mail.google.com and addons.mozilla.org. The private key has been verified and declared as valid. Errata Security have also exchanged emails with the hacker where he confirms that he worked alone and does not work for the Iranian government:
“I don’t have any relation with Basij or gov. I don’t say that all hackers are connected to CIA, I just say to people who I really think they are, see: http://cryptome.org/0003/tor-spy.htm“