To prove responsibility for the recent security breach at a Comodo affiliate Registration Authority, the “Comodo Hacker” has uploaded the private key for one of the fraudulently obtained SSL certificates.

Netcraft has verified that the private key does correspond to the fraudulently issued SSL certificate for addons.mozilla.org. Only Comodo, the affiliate, or the hacker could have known this secret key.

As the uploaded private key does not require a passphrase, it can readily be used by other attackers. Certificate revocation mechanisms have come under recent criticism for not working effectively, so the publication of the private key introduces a widespread risk of man-in-the-middle attacks against Mozilla Add-ons users.

To get around the revocation problems, most web browser software has been updated to explicitly blacklist the bogus certificates. Users can therefore protect themselves by upgrading to the latest versions.