GlobalSign Suspends Issuance of SSL Certificates 111
Joining the ranks of accepted submitters, realxmp writes "The BBC is reporting that GlobalSign has stopped issuing certificates because of yet another suspected CA security breach. This was in response to a post on the ComodoHacker paste bin, claiming that this and several other CA's have also been compromised."
No word yet on whether they were actually compromised.
At some point (Score:4, Insightful)
You have to wonder if these people are serious about their craft, or just phoning it in. If they are in the security business, you expect they'd at least make a half-assed attempt at securing THEIR OWN BUSINESS.
Re: (Score:2)
Why would they?
Security costs money, these folks sell the illusion of security so that is what they use for themselves as well. When marketing and MBAs run companies this is what you get.
Re: (Score:2)
When unaccountable people run companies this is what you get.
There, I fixed it for you.
Re: (Score:2)
There are two possible scenarios. In the first one, you are right and those fellas at GlobalSign are lame. In the other one, they are doing it because of risk mitigation instead of security.
Re: (Score:3)
We've also seen what the MBAs will do when a hack does occur - try to keep it a
Re: (Score:2)
If my organization mentions buying a certificate from one of these shysters, I'm certainly going to recommend against it.
They may not think their own security is their product, but frankly the entire integrity of their business rides on it.
Re: (Score:3)
But until yesterday you would not have.
So they will fold this company and do it all over again. That is much cheaper than ever bothering with security.
Re: (Score:2)
The thing is that it does not matter at all how secure the organization you buy your certificate from is.
What matters is how secure the lease secure of those hundreds of organizations that sell certificates is.
You can buy your certificate from the most secure one, but someone else can buy or steal it from the least secure organization and it will be trusted just as much.
Re:At some point (Score:4, Interesting)
The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.
I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant. And, they were. The purpose of those thefts is to act as a man-in-the-middle to fool the Iranian citizens into thinking that they were speaking with these social and search sites as if they were the original. SSL is the foundation of secure communication over the internet. Browsers use those to verify a site is the actual site. Acting as a man in the middle with a seemingly valid certificate can fool your population into believing you are Google, and hence they can read your mail, watch your searches, check out what you say, and even find out where you are. Iran could easily put up a fake Firefox/Google/Microsoft site and then substitute their own browser that still accepts the certificates.
If GlobalSign is ceasing certificate issuance because of pastebin maybe it is appropriate for now.
My opinion still stands. That pastebin reference was either some fool confessing to every murder and crime on the planet, or it was Iran spoofing the general world public trying to build doubt, thus making it less likely that there'll be major backlash by the governments of the world.
Certificate forgery (by stealing them from legit sources) is really bad for the internet. Seriously bad.
Re: (Score:2)
This Certificate forgery isn't all bad (except to the direct victims, who I hope are able to remain safe.) It's a wakeup call if we choose to listen.
The root CA PKI system has always been a house of cards. It's great for the purpose for which it was designed, which is a single top-down hierarchical organization, but that's not the Internet. We've just stuck with it for so long that we've never bothered with the tremendous amount of work it would take to replace it with something better. This is a gust of
Re: (Score:3)
The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.
I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant.
What on the posted PasteBin messages made you think that it's trying to deflect attention from Iran? It seems like the exact opposite to me, if anything. I mean, the very first message [pastebin.com] from the "ComodoHacker" guy says:
"Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced terrorist, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I
Re: (Score:2)
Actually, to me it seems far more likely that the break-in originated elsewhere, then access was sold to Iran.
Re: (Score:3)
These people are not in the security business; They are in the confidence business.
Like Calvin Klein, and psychic hot-lines, the CA's are not selling a product so much as they are selling "peace of mind". They sell a special pen which companies use to fill in that special website check-box next to the word "Secure connections". That's it.
There is nothing magical about a CA issued cert. The Certification Authorities neither certify connections, nor have the authority to do so. They host public numbers on the
Re: (Score:2)
Because if you don't the browser with almost 40% market share will throw a hyperventilating fit whenever users connect to your site, and will try its earnest best to frighten them away from you before they so much as see your site logo.
But other than that, yeah, you can go right ahead and self sign your certs. No problem.
Re: (Score:2)
Um, not just Firefox. Chrome makes it sound like the world will end as well. In fact, only Internet Explorer passes you through with a mere "Yes/No" dialog box and a mumbled warning about possible forgeries - every other browser makes you jump through fiery hoops to OK a self-signed cert with messages predicting the imminent death of your family, tidal waves consuming your home, and terrorists arriving to kick your dog if you do.
Re: (Score:2)
Well, you don't spend millions, typically. You just need a few certs for your domain, depending on the number of servers that's a few grand? And I don't know how that works with visualization in the mix.
The cert business (and it is a business, don't let them kid you), is all about trust. They're selling trust. The only reason they're in business is to sell you (if you're running a business web site) is to sell you a piece of code that removes the "untrusted" nag a browser presents the user when they access
Re: (Score:2)
Re: (Score:2)
Seems more like deflection. Some lone gunman shoots--so to speak.
Chain effect (Score:3)
1. Hack one CA
2. Post on pastebin claiming to have hacked more
3. Watch as they scramble in panic
4. ??????
5. Profit?
It seems quite possible that the hacker is just being a total jerk, if they wanted to actually use certs from a company (like they did Diginotar) they wouldn't announce the hack until it was discovered. So most likely they didn't actually pull off the hack.
Unless 4 is "be a rival CA", in which case you do profit. Or if you hacked a different CA and want people to use that company. Which adds a whole layer of conspiracy possibilities on an already conspiracy-laden hack.
Re: (Score:3, Interesting)
3. Watch as they scramble in panic
I think this is not just casual LOL type watching, but scientifically carefully studying the reaction to a semi-credible threat, to figure out how to work around their reaction in a future (real?) event.
How has the collapse of diginotaurus or whatever affected other CAs response?
Re: (Score:2)
I can see investigating internally, but if you stop issuing, then it means you either found something really, really bad, or things are such a cluster f--k that you can't tell
Personal-interest notes (Score:4, Insightful)
First time accepted submitter (and Slashdot coder) cogent writes...
With his first accepted submission, quantr tips news...
Hitting the mainpage for the first time, Black Sabbath writes...
Debuting on Slashdot, seezer writes with a piece...
Joining the ranks of accepted submitters, realxmp writes...
For god's sake, stop! We care about the news, not the personalities of the posters!
Re:Personal-interest notes (Score:4, Insightful)
Re: (Score:2)
Gold star! +5!
More like, "Infinite Monkeys, +1 sometimes, +5 eventually."
We're (mostly) American here. The better analogy is 'a blind pig gets an occasional acorn'.
Thank you,
The US High Fructose Corn Syrup Benevolent Association.
Re: (Score:2)
Re: (Score:2)
And highlighting how frequently stories come from a first-time submitter might spur would-be submitters to get off their ass and try for their 5 minutes of slashdot fame.
Re: (Score:2)
You say this, and yet people bitched for years about Roland Piquepaille's submissions being constantly accepted, leading people to think that you had to be "in the know" to get your story on the front page.
Re: (Score:2)
Self Signed Certificates (Score:4, Interesting)
Self Signed Certificates.
This is what I have been talking about for years and years now. Years and years, and I am on the topic of browsers treating self signed certificates worse than viruses and there are still people disagreeing.
Come on, browsers need to start treating self signed certificates like they are plain old HTTP, with an icon that can be used to view the fingerprint.
That would be a GOOD START. Then start distributing lists of sites to fingerprints, maybe even public certificates, have time stamps and have the site operators cross check the fingerprints in those lists. Have an architecture to verify one list against another dynamically. Have verified lists that are hash signed, have hash keys for lists being distributed. I don't know, there could be all sorts of things done, but instead we are still relying on the centralized signing authority that didn't actually earn any trust. I don't trust any CA, why does anybody trust any CA?
Re: (Score:3)
So you want to replace the cryptographically secure method of certificate validation and revocation with your own method where anyone can essentially poison the list of thumbprints.
I agree that self signed certs should be treated like clear text from a security perspective rather than setting off alarm bells but, we still need secure third party identity validation.
Re: (Score:2)
I agree that self signed certs should be treated like clear text from a security perspective rather than setting off alarm bells
Yeah, because I totally want my web browser not to set off alarm bells when I go to www.mybank.com and it receives a self-signed certificate from that site.
Re: (Score:2)
A man in the middle attack can just wipe out ssl.. unless you always check to make sure you are genuinely on the https page then you are just as vulnerable to this attack.
And, guess what, my web browser does warn me if I go to my bank and it's not encrypted. But most people don't have those options enabled because they're too painful, warning numerous times about sites where I don't care whether the connection is encrypted.
Re: (Score:2)
Re: (Score:2)
But its ok that none warnings are issued just because mybank.com spent a lot of money to buy a signed certificate from douchebags-ca.com?
Untrusted CAs aren't included in the web browser, so there will be a warning unless the browser flags that CA as trusted. That trust may be misplaced, but that's a different issue.
The big flaw with current browsers is that it doesn't tell you when it sees a new certificate where the old one was from bignameCA.com, but the new one is from CAIveneverheardof.ng.
The CA concept is fundamentally broken, but so long as the CAs are legitimately trusted it's vastly more secure than accepting any old crap without war
Re: (Score:3)
Untrusted CAs aren't included in the web browser
Insert simpsons voice "ha ha". The whole point is that is just not so.
Re: (Score:2)
Insert simpsons voice "ha ha". The whole point is that is just not so.
As I said, that trust may be misplaced. But just because some CAs aren't trustworthy, that's no reason to accept self-signed certitificates which are guaranteed not to be trustworthy.
The bad CAs get removed from the browser. No browser developer is going to want to have to track millions of bad self-signed certs, nor could they when anyone can create new ones.
Re: (Score:2)
Do you even follow tech news?
Did you read my post?
Ah, no, because you cropped out the part saying 'That trust may be misplaced'.
Re: (Score:2)
There's also Perspectives [perspectives-project.org] which asks "notary servers" what certs they've seen at that site over time so you can compare what other people are seeing. Of course, this requires that you be able to reach a notary server outside of your network, which may not always be possible [slashdot.org].
Re: (Score:2)
> Untrusted CAs aren't included in the web browser
I LOL'ed! :-D
Re: (Score:2)
ok fair point, I guess, but if you go to www.mybank.com today without putting https:/// [https] in front of it your browser will almost certainly try http first, and if the server answers you will get an unsecured connection with no warnings.
Mind you it might not be your banks server that answers either, might be anyone redirecting port 80 traffic along the way. So I still say either self signed SSL certs should be treated as clear text, at the application level. Now perhaps the browser should throw up all kinds
Re: (Score:2)
That's a problem I think the banks have a duty to tackle. They simply shouldn't do business without SSL. Plaintext connections should go first to a visible redirector saying "don't be such a dumb ass, always type 'https' when accessing any bank's web site" (OK, maybe more polite.)
Re: (Score:2)
Your browser sets of alarm bells when you go to http://www.mybank.com/ [mybank.com]?
You must love bells!
Re: (Score:3)
There's a third choice: display a warning the first time, then permanently accept that cert for that site like ssh does. Then, allow one cert to sign its successor for a couple of years after the cert's expiration (or drop expiration dates entirely, as they don't seem to do much good other than making CAs more profitable) and make the new cert inherit the "always trust for this site" policy from its predecessor.
With that one change, a self-signed cert would provide nearly the same benefit as a real cert, m
Re: (Score:2)
That really doesnt work so well for sites like Google / all their services, or Amazon, that people may want to access from various places and on various computers. Are you suggesting that we teach everyone about the concepts of certificates, thumbprints, and trust, so that they can pore over the certificate trust chains on each computer they ever want to use?
Re: (Score:1)
I left a few replies in this thread, so it's a PITA to repeat the same thing over again. Distributed, cross checked lists, time stamped with expiration dates, hashed and keys distributed. Torrent like system to distribute list. Site operators checking existing lists for poison. There are many things that can be done by browsers to see if the self signed certificate indeed belongs to the issuer. Staying with the status quo is only acceptable to the CAs, not to users and over time the situation will get wor
Re: (Score:2)
DNS?
Re: (Score:1)
Exactly, I mentioned [slashdot.org] DNS in this thread.
Re: (Score:2)
Sorry, but I can't agree. Most people wouldn't understand what the hell are you talking about, so even if you show them a fingerprint, they wouldn't know what to do. Browsers treat self-signed with suspicion because anyone can self-sign a certificate and they won't prove, only by themselves, that the server is who it says it is. You surely recognize this. Now, CAs earned their trusts by passing a real audit, as in people from a company you know IRL goes to that company to check stuff IRL. Not that it helped
Re: (Score:2)
Now, CAs earned their trusts by passing a real audit, as in people from a company you know IRL goes to that company to check stuff IRL. Not that it helped much to that Dutch company, but it guarantees a minimum of security.
The big problem with the CA system is that it limits your security to the level of the least secure CA. You can get your certs from supersecureCA.com, but anyone who hacks into CAinmygarage.ng can produce a certificate that will be trusted just as much as the real one.
Re: (Score:1)
if you show them a fingerprint, they wouldn't know what to do
- well, people don't know how to use their GPS in their cars either, but they are still using them. It's not that hard for a bank to put a statement on the front page:
To make sure you are really on our site compare this number: 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 to the fingerprint in your Internet browser address bar.
Browsers treat self-signed with suspicion because anyone can self-sign a certificate and they won't prove
- you can't prove that you are on HTTP site either, that doesn't cut it as an explanation for this duality in behavior. I wonder how much CAs pay browser development teams to add them to the CA lists.
CAs earned their trusts by passing a real audit
- I disagree. I don't trust any CA or whoever "audits" them. They didn't earn MY trust. That's the only trust that's important when I am brow
Re: (Score:2)
To make sure you are really on our site compare this number: 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 to the fingerprint in your Internet browser address bar.
Um, if you've been MitM'd, all the hacker needs to do is change that text during transit. Your suggestion does not, at all, add any security.
Re: (Score:1)
Well, in my case I distribute my site information to the customers in print, and I have instructions on how to accept the self signed cert., and the keys are all in the brochure. That's just one way. Obviously I left multiple comments in this thread talking about distributed lists transfered even via torrent like transport, coming from different locations and compared to each other, signed with hash keys, having expiration dates and being checked by site operators.
Any way towards removing the central signi
Re: (Score:2)
Why should I trust your list?
Re: (Score:1)
Did I say you have to trust my list?
I would rather have many distributed lists, all being cross checked, more like multiple DNS roots/entries rather than relying on somebody that is assumed to be trustworthy.
I want cross checking of multiple lists against one another, etc., You don't have to rely on my list.
Re: (Score:2)
For the same reason that you trust GlobalSign's list, whatever that may be. With a couple exceptions:
1) Unlike faceless names like GlobalSign, the person issuing such a list may be someone you actually meet and/or can get to know. So the lower bound of trustworthiness is the same as GlobalSign's, but the upper bound is unlimited.
2) The assertions provided by the list's publisher are a little less risky to accept, because the list publisher is claiming less. The list publisher
Re: (Score:2)
> Why should I trust your list?
Why should you trust your (browser's) list of CA's?
Re: (Score:1)
Will you notice if your bank reverts to self signed certificate? Will other people notice it?
Re: (Score:2)
The answer to that question is identical to the answer to: "Will you notice if your bank uses plaintext http?" If you think the answer to that question is No, then whatever you use to turn that into not being a problem, will work the same for both approaches.
Re: (Score:2)
It's all about the UI - will you notice anything if UI does not tell you?
What if UI didn't tell you that the site is changing from HTTP to HTTPS, would you notice it? What if the browser decided not to show you the address bar at all? Do you know that they are playing with that genius idea? They are really thinking about it!
Now, what is needed is a good way to show that the site is HTTP or HTTPS with a self signed certificate, and have an easy way to see the fingerprint or it is an HTTPS with a CA (still sh
Wrong problem (Score:2)
Why should who signed the certificate make any difference? SSL should be only for establishing a secure channel between the two parties, not identification. For that we have DNSSEC.
Re: (Score:2)
I don't think the distributed lists is a good idea. Just stick to distributed verification / SSL notaries.
Re: (Score:1)
Well, in a marketplace of ideas any idea has the right to exist. I don't see why lists cannot be implemented, tried and tested if anybody cares to try of-course.
But you are not providing any reasoning to your statement. Why are distributed lists not a good idea? If the lists are distributed, time stamped and hash keys are created, hash keys are distributed and lists have expiration dates. The site operators would have to verify the lists out there periodically. Maybe torrent like way to distribute lists.
Com
Re: (Score:2)
The problem with spreading lists around is that it requires creating another messy system that requires trust in some authority - the one compiling the list. The same way someone could intercept the website serving your Linux distros and give you an infected one, with a matching hash so it still looks A-OK, someone could intercept the list and the corresponding hash. It's a lighter version of the same kind of mess we've had with CAs.
Using torrents to distribute the list would at least prevent sabotage, if t
Re: (Score:2)
Its not difficult (Score:1)
1- unplug CA from network.
2- done.
If your CA is accessible via a network you sure not be running a trusted CA.
Re: (Score:1)
Uh, I see a minor flaw in your plan. Think it over a for a bit, I'm sure it'll come to you.
Re: (Score:2)
Sounds nice, but how do you know the CSR is valid? Air gaping the CA might work for your home or business but its no good for commercial CA provider. They get thousands of CSRs everyday.
Do you expect them to individually transfer them or do thing they might um do it in batch? So lets suppose I break into the processing system and stick a few of my own CSRs in there and mark them in the database as validated or whatever, your monkey at the CA is going to dump those CSRs along with all the legit ones to th
Re: (Score:2)
I have thought it over.
You physically copy the certificate request to the signing computer by floppy disk or flash drive or similar method and copy the certificate back the same way.
I think he's getting at, how do you upgrade Debian's openssl package if its not on the net... Well, there are ways around that, again involving flash drives and such...
Re: (Score:1)
You update from CD only when there is a vulnerability that affects you. The packages are signed for a reason.
While this is not absolutely secure (sure somebody could MITM the debian download and compromise some debian developer's gpg key) at this point it's cheaper to physically break down the door.
Re: (Score:2)
Interesting - claims controls of 4 more CAs (Score:1)
From http://pastebin.com/85WV10EL [pastebin.com]
He mentions GlobalSign. I'm assuming DigiNotar is not in one four remaining? StartCom dodged this mess (good for Eddy!).
So there are possibly 3 more CAs that have been compromised. Which ones?
I do find it interesting that the fellow is going after the Dutch government for the Srebrenica event. I wonder what he has in store for the Serbian government?
Without words... (Score:2)
Related... (Score:2)
I just got an update for Ubuntu's xulrunner (a part of firefox) that labels all DigiNotar certs as untrusted.
The shunning of DigiNotar is beginning. As it should.
Anyone know how I can label all DigiNotar certs bad in Chrome or similar?
--
BMO
Re: (Score:2)
I said:
>Anyone know how I can label all DigiNotar certs bad in Chrome or similar?
Follow up.
In Chrome.
>Preferences
>Under the hood
>SSL
>scroll down until you see DigiNotar
>click Edit
>uncheck "trust this for...."
Done.
Re: (Score:2)
Virus protection software (Score:1)
So we should ban GlobalSign too? (Score:2)
Anyone with any guidance on WHAT happened? If the CA authority has suspicions, they should be as open as possible about it. We don't know what happened and I NEED to know (as I have people here that deal with sensitive projects and often travel into areas that have shown to be hostile towards privacy).