adimas - Fotolia
GlobalSign has suspended issuing authentication certificates for websites after the DigiNotar hacker claimed to have breached its systems.
This comes a week after news broke that Dutch certificate authority (CA) DigiNotar had been hit in July, resulting in more than 500 fraudulent digital certificates being issued.
Because digital certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, a fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks.
In a submission to text posting site Pastebin.com, a hacker who claimed to be responsible for the hacking of the Comodo certificate authority in March also claimed to have breached DigiNotar and four other CAs.
Only GlobalSign was identified. It responded immediately by halting the issuing of all certificates until the claim is investigated.
Researchers at security firm Trend Micro identified a large number of compromised DigiNotar certificates being issued to Iran.
This led to speculation that Iranian authorities were behind the certificate authority hack as a way of spying on dissidents, but the hacker denied such connections.
“I’m single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I’m not one who should explain,” the hacker said in the Pastebin posting.
However, the hacker suggested the DigiNotar attack was in retaliation against the Dutch government for failing to intervene in the massacre of Muslims in Srebrenica during the Bosnian War.
GlobalSign praised for quick response
While DigiNotar has been criticised for keeping the breach of its systems secret for more than six weeks, security experts have praised GlobalSign for its swift response to the hacker’s claims.
Chester Wisniewski, a senior security advisor at Sophos, Canada, described GlobalSign’s move as “great news” and said the response was interesting as the hacker’s claims are still unverified.
“It is making a tough choice – that is what we should expect from organisations whose business models rely on trust. It’s possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution,” Wisniewski said in a blog post.
The industry and other certificate authorities will now need to ask some difficult questions, said Rik Ferguson, director of security and research at security firm Trend Micro.
“When a relatively small group of organisations is trusted with assuring the identity of the rest of the web, an incident of this nature seriously undermines both public and professional confidence in the viability of the current system,” he said.
Ferguson said there should be regulatory standards for an industry of this level of importance. “In the same way that organisations which handle credit cards are required to conform to payment card industry [PCI] standards, CAs should also conform to an audited minimum level of security. This would have eliminated many, hopefully all, of the failures found at DigiNotar,” he said.