Page 1 of 2
GlobalSign, a U.K.-based certificate authority (CA), is up and running after investigating a claim by an Iranian hacker that its SSL certificates had been compromised following a massive attack against another CA, Diginator.
GlobalSign suspended sales of its SSL certificates after ComodoHacker, the hacker who compromised DigiNotar in June, claimed last week to compromise four other CAs, including GlobalSign.
CAs such as DigiNotar and GlobalSign digitally sign Web pages, thereby providing a trusted symbol authenticating online property protected by secure socket layer, or SSL.
“We thank everyone again for your continued support during the reactivation process,” GlobalSign said in a company blog post . “We will be bringing system components back on line on Monday during a sequenced startup, but we do not foresee that customers will be able to process orders until Tuesday morning. We sincerely apologise for the extra delay. More updates will follow if the situation changes.”
In addition, GlobalSign also enlisted third party auditor Fox-IT, the consulting firm commissioned by the Dutch government for the DigiNotar hack, to conduct a thorough vulnerability assessment and investigation of its security and network infrastructure.
While it did not appear that ComodoHacker successfully compromised GlobalSign’s SSL certificates, the audit did reveal an isolated breach against its Web server affecting its internal web site.
"Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” GlobalSign said in a blog post. “At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.”
GlobalSign added that it was sharing all forensic information stemming from the breach with authorities.
GlobalSign’s alarm was not entirely unfounded after a hacker claiming to be a 21-year-old Iranian man responsible for SSL attacks against DigiNotar and CA Comodo resellers in March, also claimed he perpetrated new attacks against four other CAs.
“I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet,” ComodoHacker said in a pastebin.com blog post . “I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification.
The threat against GlobalSign followed a few weeks after Dutch CA DigiNotar suffered a massive SSL hack in June, affecting numerous high-profile customers including Google, Microsoft and Mozilla.
DigiNotar customers Google, and Mozilla set about blacklisting the bogus DigiNotar certificates, while Microsoft deemed all DigiNotar certificates as untrustworthy , underscored by migrating them to the “Untrusted Certificate Store.”