GlobalSign Web Server Hacked, But Not CA 35
Trailrunner7 writes "GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack."
Correction: (Score:1)
by the _self claimed_ attacker _supposedly_ responsible for the DigiNotar CA hack**
What Style! What Panache! (Score:1)
Well then. He certainly sounds like an arrogant prick.
Hint: Not GlobalSign (Score:2)
Re: (Score:2)
Re: (Score:2)
If his intent is to cause damage by spreading panic, then it's quite reasonable for him to wait for some time - let folk scramble to fix the problem with DigiNotar first, then he can drop the next bomb on them.
Both have good reasons to lie (Score:4, Interesting)
The hacker who wants some credibility.
The company who might get their certificates revoked.
Seriously how hard would you look for the security breach that would destroy the entire company (it appears to be their only product). You can go back later and say you found the breach.
There is far too much money at stake to trust the company.
Re: (Score:2)
- aaaaah, what are you going to do?
Burn more karma, apparently.
Re: (Score:1)
Well, that's pretty stupid moderation.
They found a compromise... (Score:4, Informative)
The CA/PKI might not have been invaded yet A compromise of a website can lead to an intruder gaining further access, however.
Suffice to say... access to a webserver is a foothold that an intruder can attempt to leverage to gain further access. Depending on how robust the further lines of defenses are, and if any security mistakes were made (such as webservers allowed through firewalls to some internal hosts or credentials the intruder can capture that can lead to access to systems closer to back office or CA functions).
Even a compromise that doesn't result in immediate PKI access may lead to that, through additional successive breaches, and successive social engineering... also known as "Advanced Persistent Threat" (to use the latest lingo for referring to the situation)
Re: (Score:1)
Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs." You're making assumptions about their web infrastructure, what was broken into, and what "break into" means.
Re: (Score:1)
Re: (Score:2)
It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, w
Re: (Score:3)
[citation needed] Re:They found a compromise... (Score:2)
Some CAs will offer to generate a key pair for you, so you don't have to create a CSR - they send you a private key and a certificate. It is not how x509 is supposed to work, but....
Interesting; but without a specific list of what you mean by "some CAs" not very useful. Does anyone have a list?
Re: (Score:2)
Startssl does this and I recall seeing that feature on couple other CAs too, makes things easier for the random customer as they can just purchase the certificate without hassle with their own IT department. Not that good idea for security though.
Re: (Score:2)
If I had to guess I'd say the front end probably places the incoming CSRs somewhere the actual CA infrastructure can get them - possibly a common database in a DMZ - but there'd never any direct communication between the two, they always go via the passive intermediary.
Re: (Score:2)
Just an example, it can be used to get the cookies/login-information from all the customers.
Realistically (Score:3)
Any other way of looking at it is stupidity of the highest order
Not CA (Score:2)
..., But Not CA
For some reason my mind actually read that as "..., But No Cigar". Good Job.
Re: (Score:1)
..., But Not CA
For some reason my mind actually read that as "..., But No Cigar". Good Job.
I read it as, "..., but not California". SMILE
Re: (Score:2)
Re: (Score:1)
And that's meaningless. When you submit a certificate signing request to a CA you are sending the public key of the certificate you want validated. The CA performs their checks, then signs that public key and sends it back to you, where you pair it with your private key that has never left your possession and you have a full certificate.
So copying the certificates wouldn't be a problem, heck that part of the certificate is viewable to any browser.
Re: (Score:2)
Or you could just go to the web sites in question and they will just give you the public keys without needing any hacking!
More importantly, if you have compromised the web server, then you can upload your own CSR for any of their customers' domains and get a signed certificate back...
Oh, they did their own audit (Score:2)
I mean, it's not like they stand to lose their entire business if they were compromised or anything. I'm sure they can be trusted.