His story is that he was able to engage Comodo's partners, GlobalTrust.it and InstantSSL.it. Both sites are currently "under construction."
On that point I would have to agree with him, as attacking the RSA algorithm seems like a much more difficult challenge, but the text of his "manifesto" is so full of boasting is even difficult to read.
While iranian, he claims to have no relationship with the "Iranian Cyber Army" and insists that he is simply a hacker with about 1000 times the knowledge and experience that everyone else...
Upon dis-assembling this DLL, he discovered a clear-text username and password used as part of the CSR submission process, which allowed him to send any CSR he wanted to be signed by Comodo and get the signed certificate immediately.
At first it was not clear if this guy was the real one, and of course it is impossible to know. What he did next was publish some of the TrustDLL source code.dll in pastebin, including the parts used for authentication that store the unencrypted password.
Once again we return to insecure passwords and password management techniques. Fortunately, the impact of this incident is very small and can be a wake-up call for the certificate industry as a whole.
As Mozilla pointed out in a blog post, the practice of signing certificates directly with the root certificate, as Comodo has been doing, is really a bad practice.
The only mystery that remains is this: If it's a lone hacker pointing out his point, why issue certificates from these specific websites, all of them related to the secure methods of communication often used by dissidents to organize protests and share news with the world? His ramblings no doubt show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government.
Translation: Raul Batista - Segu-Info
Author: Chester Wisniewski
Source: Sophos Blog - Naked Security
