In a message on his Pastebin account, Comodohacker claimed he had access to GlobalSign
(WEB HOST INDUSTRY REVIEW) — About 24 hours after a hacker claimed to have access to its system, GlobalSign temporarily stopped issuing certificates on September 6, 2011. GlobalSign wasted no time investigating the claims, and with help from external security investigation firm Fox-IT, recently released an incident report that showed no evidence that rogue certificates were issued or customer data exposed during the incident.
GlobalSign’s decision to stop issuing certificates for nearly two weeks while it underwent an investigation reassured customers that their information would be protected, and others in the security industry praised GlobalSign for making such a bold move in order to minimize risk.
In the report, GlobalSign determined that a peripheral web server separate from the certificate issuance infrastructure that was hosting a public facing web property was breached. It revoked the SSL certificate and key for www.globalsign.com as they were breached as well. (The full report is available here).
In an email Q&A with the WHIR, chief executive officer for GlobalSign, Steve Waite, talked about GlobalSign’s decision to disrupt its service during the investigation, as well as the SSL certificate security issues exposed through the incident.
WHIR: While browsers were quick to disable trust in the rogue certificates, it seemed that certificate authorities were hesitant to do what GlobalSign did by temporarily ceasing certificate issuance all together. Why do you think this is? Can you tell me a bit about how GlobalSign came to this decision?
Steve Waite: In the case of the mis-issued certificates from Comodo and DigiNotar the browser community rightly took action quickly to prevent (or cease the use of) the rogue Certificates in man-in-the-middle attacks. In the case of GlobalSign, where ultimately no rogue Certificates were found, we had to take the claims of the attacker seriously. All public CAs have a duty to the Internet society to act responsibly. We deemed it most appropriate to halt issuance of new certificates until the claims had been sufficiently investigated.
In making the decision to halt issuance, we of course understood there would be an impact to customers and partners, and remain extremely apologetic to any disruption faced during the outage. However, we stand by our decision that pre-emptively halting issuance of new certificates remained in the best interests of all Internet users, and appropriate based on the previous successes of the attacker. May I take the opportunity to say on behalf of everyone at GlobalSign that we all thoroughly appreciated the support and patience of our partners, customers and throughout the industry.
WHIR: GlobalSign worked with Fox-IT in the investigation, the same firm that was contracted to investigate DigiNotar by the Dutch government. The report says that Fox-IT will continue to work with GlobalSign as a security consultant. Do you think this ongoing relationship will help create a more secure system and perhaps more transparency to customers?
SW: By appointing Fox-IT immediately, we were able to accelerate the investigation into the attacker’s claims. At that specific time, no other organization had the level of experience with this particular attacker.
We have been as transparent as possible throughout the entire incident. We will maintain the transparency as we believe it is essential for all parties to understand how CAs should respond to threats. Fox-IT has significant experience against this type of attack and in particular this attacker, so we are happy with our close ongoing relationship with the company as the contracting party to constantly maintain/update GlobalSign’s Intrusion Detection Systems.
WHIR: What kind of issues do you think this incident has brought to light around the security of certificate authorities?
SW: Over the years tens of millions of SSL certificates and other digital certificate types have been issued and have provided the privacy and security of countless transactions. But like many infrastructure related services, one failure is one too many. If the attacks of 2011 have shown anything, they have shown that the major CAs have reacted positively to the need for transparency and improved security requirements. The CAB Forum recently approved new SSL issuance Baseline Requirements, and in addition to this, revised the WebTrust 2.0 guidelines which have been available since July 2011. Such guidelines are now far more granular in terms of the requirements in how CAs are adequately protecting infrastructure and issuance environments both directly and indirectly through registration authority partners.
WHIR: After going through this investigation process, what kind of insight can GlobalSign offer to other certificate authorities?
SW: Insight is already being shared – there are unprecedented levels of collaboration between CAs, both in the sharing of threat data and the efforts made to agree to industry standards surrounding issuance of Certificates. We believe our high profile decision to accept business impact by halting issuance set the lead across the Industry, all CAs acknowledge our collective responsibility in maintaining a safe environment for Internet users.
WHIR: Many have called the certificate issuing system “broken”. How do you respond to this criticism?
SW: The certificate issuing system is not broken, but it has faced new threats and flaws that all CAs must acknowledge and react to. The importance remains on understanding what went wrong recently and moving forward together as an industry, including CAs, browser vendors, and any other application relying on the public trust of certificates, to ensure the security and trust of Internet transactions and communication is maintained.
About Nicole Henderson
Nicole Henderson writes full-time for the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto, and has been writing for the WHIR since September 2010. You can find her on Twitter @NicoleHenderson.
No related posts.
