"GlobalSign takes this claim very seriously and is currently investigating," according to a statement released by the company, which is the fifth-largest CA. "As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible."
Security experts praised the company's move. "It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater Internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post.
GlobalSign's actions were triggered by boasts posted to Pastebin on Monday by "Comodohacker," saying that he'd exploited not only Dutch certificate authority DigiNotar, but also four more certificate authorities, including GlobalSign.
On Tuesday, another post from Comodohacker noted that his attack against the StartCom Certification Authority, based in Israel, had been blocked by the company, even though he'd gained access to a hardware security module (HSM). "I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification."
Commenting on the matter in a post to Twitter, StartCom's COO and CTO, Eddy Nigg, said, "Security should always be designed on the assumption that a breach will occur."
Security at DigiNotar, which was bought by Chicago-based Vasco in 2010, apparently wasn't as robust. According to a report from Fox-IT--which was commissioned by the Dutch government to investigate the exploit of DigiNotar--the first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.