Certificate Authority GlobalSign Restores SSL Certifications Following Investigation8:28 PM EST Mon. Sep. 12, 2011
GlobalSign, a U.K.-based certificate authority (CA), is up and running after investigating a claim by an Iranian hacker that its SSL certificates had been compromised following a massive attack against another CA, Diginator.
GlobalSign suspended sales of its SSL certificates after ComodoHacker, the hacker who compromised DigiNotar in June, claimed last week to compromise four other CAs, including GlobalSign.
CAs such as DigiNotar and GlobalSign digitally sign Web pages, thereby providing a trusted symbol authenticating online property protected by secure socket layer, or SSL.
“We thank everyone again for your continued support during the reactivation process,” GlobalSign said in a company blog post . “We will be bringing system components back on line on Monday during a sequenced startup, but we do not foresee that customers will be able to process orders until Tuesday morning. We sincerely apologise for the extra delay. More updates will follow if the situation changes.”
In addition, GlobalSign also enlisted third party auditor Fox-IT, the consulting firm commissioned by the Dutch government for the DigiNotar hack, to conduct a thorough vulnerability assessment and investigation of its security and network infrastructure.
While it did not appear that ComodoHacker successfully compromised GlobalSign’s SSL certificates, the audit did reveal an isolated breach against its Web server affecting its internal web site.
"Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” GlobalSign said in a blog post. “At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.”
GlobalSign added that it was sharing all forensic information stemming from the breach with authorities.
GlobalSign’s alarm was not entirely unfounded after a hacker claiming to be a 21-year-old Iranian man responsible for SSL attacks against DigiNotar and CA Comodo resellers in March, also claimed he perpetrated new attacks against four other CAs.
“I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet,” ComodoHacker said in a pastebin.com blog post . “I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification.
The threat against GlobalSign followed a few weeks after Dutch CA DigiNotar suffered a massive SSL hack in June, affecting numerous high-profile customers including Google, Microsoft and Mozilla.
DigiNotar customers Google, and Mozilla set about blacklisting the bogus DigiNotar certificates, while Microsoft deemed all DigiNotar certificates as untrustworthy , underscored by migrating them to the “Untrusted Certificate Store.”
Next: Fox-IT Report Found 300,000 Iranian Gmail Customers Compromised In SSL Hack
Meanwhile, an interim report by security auditor Fox-IT later revealed that numerous DigiNotar servers had been compromised by hackers originating from Iran between June 17 and July 22, resulting in more than 530 compromised domains.
In addition, the Fox-IT report revealed that Google web mail had been compromised for more than 300,000 Iranian customers . The Fox-IT report identified 300,000 unique IP requests to the phony Google.com domain, with 99 percent originating from Iran, suggesting that the hacks were intentionally executed to intercept and spy on Web communication of Iranian citizens.
Cyber criminals who hacked the DigiNotar SSL certificates were then given the ability to impersonate compromised domains, which allowed them to take control over all entered user content in order to execute spoofing and man-in-the-middle attacks.
Security experts contend that the fallout from the DigiNotar, Comodo and other SSL hacks could compel organizations to become more cautious and limit the number of CAs they deem trustworthy.
Terence Spies, chief technology officer and data protection expert at Voltage Security, said that the DigiNotar hack could likely encourage vendors to be more discerning and implement more stringent requirements for their partnering CAs.
Spies said that the problem didn’t fundamentally reside with the SSL technology itself, but that "all those certificates could be signed by any number of authorities,” Spies said. “The main technical fallout of this has been a lot of soul searching and looking for solutions to the problem. How do we reduce the size that that trust store?”
In the wake of Fox-IT’s report, Google warned Iranian Gmail customers in a blog post last week to take a myriad of precautions to protect themselves from possible compromise or attack as a result of the bogus SSL certificates. Among other things, Google advised Iranian users to change their account passwords, check web sites and applications that allowed to access Google accounts and check Gmail settings for suspicious forwarding addresses or delegated accounts.
“While Google’s internal systems were not compromised, we are directly contacting possibly affected user and providing similar information below because our top priority is to protect the privacy and security of our users,” said Eric Grosse, vice president of security engineering, in a Google blog post.
Subsequently, Spies said that it would be incumbent upon vendors to partner with trusted SSL CAs, reputed to have passed security audits and implementd security mechanisms, which were more likely to be resistant to state sponsored attacks and social engineering.
“The other thing is that people are now wondering how do you undersign security systems designed to resist malicious actions by state actors?” Spies said. “You can’t build a system that’s going to be completely resilient. You’re going to have to start more actively looking at who are the people you trust.”