Networking

10:09 AM
Connect Directly
RSS
E-Mail
50%
50%

GlobalSign Puts Holds On New Certificates Pending Security Investigation

After boasts by the Comodo hacker that he'd compromised GlobalSign, the certificate authority (CA) on Tuesday announced that it would temporarily cease issuing any new certificates.

After boasts by the Comodo hacker that he'd compromised GlobalSign, the certificate authority (CA) on Tuesday announced that it would temporarily cease issuing any new certificates.

"GlobalSign takes this claim very seriously and is currently investigating," according to a statement released by the company, which is the fifth-largest CA. "As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible."

Security experts praised the company's move. "It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater Internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post.

GlobalSign's actions were triggered by boasts posted to Pastebin on Monday by "Comodohacker," saying that he'd exploited not only Dutch certificate authority DigiNotar, but also four more certificate authorities, including GlobalSign.

On Tuesday, another post from Comodohacker noted that his attack against the StartCom Certification Authority, based in Israel, had been blocked by the company, even though he'd gained access to a hardware security module (HSM). "I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification."

Commenting on the matter in a post to Twitter, StartCom's COO and CTO, Eddy Nigg, said, "Security should always be designed on the assumption that a breach will occur."

Security at DigiNotar, which was bought by Chicago-based Vasco in 2010, apparently wasn't as robust. According to a report from Fox-IT--which was commissioned by the Dutch government to investigate the exploit of DigiNotar--the first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed