Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT

GlobalSign Suspends Issuance of SSL Certificates 111

Joining the ranks of accepted submitters, realxmp writes "The BBC is reporting that GlobalSign has stopped issuing certificates because of yet another suspected CA security breach. This was in response to a post on the ComodoHacker paste bin, claiming that this and several other CA's have also been compromised." No word yet on whether they were actually compromised.
This discussion has been archived. No new comments can be posted.

GlobalSign Suspends Issuance of SSL Certificates

Comments Filter:
  • At some point (Score:4, Insightful)

    by SlippyToad ( 240532 ) on Wednesday September 07, 2011 @10:48AM (#37328020)

    You have to wonder if these people are serious about their craft, or just phoning it in. If they are in the security business, you expect they'd at least make a half-assed attempt at securing THEIR OWN BUSINESS.

    • by h4rr4r ( 612664 )

      Why would they?
      Security costs money, these folks sell the illusion of security so that is what they use for themselves as well. When marketing and MBAs run companies this is what you get.

      • by rednip ( 186217 )

        When unaccountable people run companies this is what you get.

        There, I fixed it for you.

    • There are two possible scenarios. In the first one, you are right and those fellas at GlobalSign are lame. In the other one, they are doing it because of risk mitigation instead of security.

    • Selling security is completely different from providing security. Look at TSA for instance, no security provided, but plenty 'sold'. Same with the CAs, their product is a signed certificate which is recognized by browsers, their product is not the security of their own organization. Sure, if they're hacked they'll lose everything, but MBAs think the chance of that happening is so low that it isn't worth it to implement security.

      We've also seen what the MBAs will do when a hack does occur - try to keep it a
      • Again, the security of the organization is not the product, just the certificate and some security theater

        If my organization mentions buying a certificate from one of these shysters, I'm certainly going to recommend against it.

        They may not think their own security is their product, but frankly the entire integrity of their business rides on it.

        • by h4rr4r ( 612664 )

          But until yesterday you would not have.
          So they will fold this company and do it all over again. That is much cheaper than ever bothering with security.

        • by pe1chl ( 90186 )

          The thing is that it does not matter at all how secure the organization you buy your certificate from is.
          What matters is how secure the lease secure of those hundreds of organizations that sell certificates is.
          You can buy your certificate from the most secure one, but someone else can buy or steal it from the least secure organization and it will be trusted just as much.

    • Re:At some point (Score:4, Interesting)

      by HermMunster ( 972336 ) on Wednesday September 07, 2011 @11:30AM (#37328702)

      The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.

      I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant. And, they were. The purpose of those thefts is to act as a man-in-the-middle to fool the Iranian citizens into thinking that they were speaking with these social and search sites as if they were the original. SSL is the foundation of secure communication over the internet. Browsers use those to verify a site is the actual site. Acting as a man in the middle with a seemingly valid certificate can fool your population into believing you are Google, and hence they can read your mail, watch your searches, check out what you say, and even find out where you are. Iran could easily put up a fake Firefox/Google/Microsoft site and then substitute their own browser that still accepts the certificates.

      If GlobalSign is ceasing certificate issuance because of pastebin maybe it is appropriate for now.

      My opinion still stands. That pastebin reference was either some fool confessing to every murder and crime on the planet, or it was Iran spoofing the general world public trying to build doubt, thus making it less likely that there'll be major backlash by the governments of the world.

      Certificate forgery (by stealing them from legit sources) is really bad for the internet. Seriously bad.

      • by plover ( 150551 ) *

        This Certificate forgery isn't all bad (except to the direct victims, who I hope are able to remain safe.) It's a wakeup call if we choose to listen.

        The root CA PKI system has always been a house of cards. It's great for the purpose for which it was designed, which is a single top-down hierarchical organization, but that's not the Internet. We've just stuck with it for so long that we've never bothered with the tremendous amount of work it would take to replace it with something better. This is a gust of

      • The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.

        I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant.

        What on the posted PasteBin messages made you think that it's trying to deflect attention from Iran? It seems like the exact opposite to me, if anything. I mean, the very first message [pastebin.com] from the "ComodoHacker" guy says:

        "Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced terrorist, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I

      • The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public.

        Actually, to me it seems far more likely that the break-in originated elsewhere, then access was sold to Iran.

    • These people are not in the security business; They are in the confidence business.

      Like Calvin Klein, and psychic hot-lines, the CA's are not selling a product so much as they are selling "peace of mind". They sell a special pen which companies use to fill in that special website check-box next to the word "Secure connections". That's it.

      There is nothing magical about a CA issued cert. The Certification Authorities neither certify connections, nor have the authority to do so. They host public numbers on the

      • Chrome isn't much nicer with self-signed certs, it warns every time... Would be nice to get a warning the first time, have it log the cert, and warn if it changes.
    • Seems more like deflection. Some lone gunman shoots--so to speak.

  • by Baloroth ( 2370816 ) on Wednesday September 07, 2011 @10:50AM (#37328054)

    1. Hack one CA
    2. Post on pastebin claiming to have hacked more
    3. Watch as they scramble in panic
    4. ??????
    5. Profit?

    It seems quite possible that the hacker is just being a total jerk, if they wanted to actually use certs from a company (like they did Diginotar) they wouldn't announce the hack until it was discovered. So most likely they didn't actually pull off the hack.

    Unless 4 is "be a rival CA", in which case you do profit. Or if you hacked a different CA and want people to use that company. Which adds a whole layer of conspiracy possibilities on an already conspiracy-laden hack.

    • Re: (Score:3, Interesting)

      by vlm ( 69642 )

      3. Watch as they scramble in panic

      I think this is not just casual LOL type watching, but scientifically carefully studying the reaction to a semi-credible threat, to figure out how to work around their reaction in a future (real?) event.

      How has the collapse of diginotaurus or whatever affected other CAs response?

    • I can see investigating internally, but if you stop issuing, then it means you either found something really, really bad, or things are such a cluster f--k that you can't tell

  • by dcollins ( 135727 ) on Wednesday September 07, 2011 @10:53AM (#37328096) Homepage

    First time accepted submitter (and Slashdot coder) cogent writes...
    With his first accepted submission, quantr tips news...
    Hitting the mainpage for the first time, Black Sabbath writes...
    Debuting on Slashdot, seezer writes with a piece...
    Joining the ranks of accepted submitters, realxmp writes...

    For god's sake, stop! We care about the news, not the personalities of the posters!

  • by roman_mir ( 125474 ) on Wednesday September 07, 2011 @10:57AM (#37328184) Homepage Journal

    Self Signed Certificates.

    This is what I have been talking about for years and years now. Years and years, and I am on the topic of browsers treating self signed certificates worse than viruses and there are still people disagreeing.

    Come on, browsers need to start treating self signed certificates like they are plain old HTTP, with an icon that can be used to view the fingerprint.

    That would be a GOOD START. Then start distributing lists of sites to fingerprints, maybe even public certificates, have time stamps and have the site operators cross check the fingerprints in those lists. Have an architecture to verify one list against another dynamically. Have verified lists that are hash signed, have hash keys for lists being distributed. I don't know, there could be all sorts of things done, but instead we are still relying on the centralized signing authority that didn't actually earn any trust. I don't trust any CA, why does anybody trust any CA?

    • by DarkOx ( 621550 )

      So you want to replace the cryptographically secure method of certificate validation and revocation with your own method where anyone can essentially poison the list of thumbprints.

      I agree that self signed certs should be treated like clear text from a security perspective rather than setting off alarm bells but, we still need secure third party identity validation.

      • by 0123456 ( 636235 )

        I agree that self signed certs should be treated like clear text from a security perspective rather than setting off alarm bells

        Yeah, because I totally want my web browser not to set off alarm bells when I go to www.mybank.com and it receives a self-signed certificate from that site.

        • But its ok that none warnings are issued just because mybank.com spent a lot of money to buy a signed certificate from douchebags-ca.com?
          • by 0123456 ( 636235 )

            But its ok that none warnings are issued just because mybank.com spent a lot of money to buy a signed certificate from douchebags-ca.com?

            Untrusted CAs aren't included in the web browser, so there will be a warning unless the browser flags that CA as trusted. That trust may be misplaced, but that's a different issue.

            The big flaw with current browsers is that it doesn't tell you when it sees a new certificate where the old one was from bignameCA.com, but the new one is from CAIveneverheardof.ng.

            The CA concept is fundamentally broken, but so long as the CAs are legitimately trusted it's vastly more secure than accepting any old crap without war

            • by vlm ( 69642 )

              Untrusted CAs aren't included in the web browser

              Insert simpsons voice "ha ha". The whole point is that is just not so.

              • by 0123456 ( 636235 )

                Insert simpsons voice "ha ha". The whole point is that is just not so.

                As I said, that trust may be misplaced. But just because some CAs aren't trustworthy, that's no reason to accept self-signed certitificates which are guaranteed not to be trustworthy.

                The bad CAs get removed from the browser. No browser developer is going to want to have to track millions of bad self-signed certs, nor could they when anyone can create new ones.

            • > Untrusted CAs aren't included in the web browser

              I LOL'ed! :-D

        • by DarkOx ( 621550 )

          ok fair point, I guess, but if you go to www.mybank.com today without putting https:/// [https] in front of it your browser will almost certainly try http first, and if the server answers you will get an unsecured connection with no warnings.

          Mind you it might not be your banks server that answers either, might be anyone redirecting port 80 traffic along the way. So I still say either self signed SSL certs should be treated as clear text, at the application level. Now perhaps the browser should throw up all kinds

          • by plover ( 150551 ) *

            That's a problem I think the banks have a duty to tackle. They simply shouldn't do business without SSL. Plaintext connections should go first to a visible redirector saying "don't be such a dumb ass, always type 'https' when accessing any bank's web site" (OK, maybe more polite.)

        • Your browser sets of alarm bells when you go to http://www.mybank.com/ [mybank.com]?

          You must love bells!

      • by dgatwood ( 11270 )

        There's a third choice: display a warning the first time, then permanently accept that cert for that site like ssh does. Then, allow one cert to sign its successor for a couple of years after the cert's expiration (or drop expiration dates entirely, as they don't seem to do much good other than making CAs more profitable) and make the new cert inherit the "always trust for this site" policy from its predecessor.

        With that one change, a self-signed cert would provide nearly the same benefit as a real cert, m

    • That really doesnt work so well for sites like Google / all their services, or Amazon, that people may want to access from various places and on various computers. Are you suggesting that we teach everyone about the concepts of certificates, thumbprints, and trust, so that they can pore over the certificate trust chains on each computer they ever want to use?

      • I left a few replies in this thread, so it's a PITA to repeat the same thing over again. Distributed, cross checked lists, time stamped with expiration dates, hashed and keys distributed. Torrent like system to distribute list. Site operators checking existing lists for poison. There are many things that can be done by browsers to see if the self signed certificate indeed belongs to the issuer. Staying with the status quo is only acceptable to the CAs, not to users and over time the situation will get wor

    • Sorry, but I can't agree. Most people wouldn't understand what the hell are you talking about, so even if you show them a fingerprint, they wouldn't know what to do. Browsers treat self-signed with suspicion because anyone can self-sign a certificate and they won't prove, only by themselves, that the server is who it says it is. You surely recognize this. Now, CAs earned their trusts by passing a real audit, as in people from a company you know IRL goes to that company to check stuff IRL. Not that it helped

      • by 0123456 ( 636235 )

        Now, CAs earned their trusts by passing a real audit, as in people from a company you know IRL goes to that company to check stuff IRL. Not that it helped much to that Dutch company, but it guarantees a minimum of security.

        The big problem with the CA system is that it limits your security to the level of the least secure CA. You can get your certs from supersecureCA.com, but anyone who hacks into CAinmygarage.ng can produce a certificate that will be trusted just as much as the real one.

      • if you show them a fingerprint, they wouldn't know what to do

        - well, people don't know how to use their GPS in their cars either, but they are still using them. It's not that hard for a bank to put a statement on the front page:

        To make sure you are really on our site compare this number: 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 to the fingerprint in your Internet browser address bar.

        Browsers treat self-signed with suspicion because anyone can self-sign a certificate and they won't prove

        - you can't prove that you are on HTTP site either, that doesn't cut it as an explanation for this duality in behavior. I wonder how much CAs pay browser development teams to add them to the CA lists.

        CAs earned their trusts by passing a real audit

        - I disagree. I don't trust any CA or whoever "audits" them. They didn't earn MY trust. That's the only trust that's important when I am brow

        • To make sure you are really on our site compare this number: 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 to the fingerprint in your Internet browser address bar.

          Um, if you've been MitM'd, all the hacker needs to do is change that text during transit. Your suggestion does not, at all, add any security.

          • Well, in my case I distribute my site information to the customers in print, and I have instructions on how to accept the self signed cert., and the keys are all in the brochure. That's just one way. Obviously I left multiple comments in this thread talking about distributed lists transfered even via torrent like transport, coming from different locations and compared to each other, signed with hash keys, having expiration dates and being checked by site operators.

            Any way towards removing the central signi

    • by Pionar ( 620916 )

      Why should I trust your list?

      • Did I say you have to trust my list?

        I would rather have many distributed lists, all being cross checked, more like multiple DNS roots/entries rather than relying on somebody that is assumed to be trustworthy.

        I want cross checking of multiple lists against one another, etc., You don't have to rely on my list.

      • by Sloppy ( 14984 )

        Why should I trust your list?

        For the same reason that you trust GlobalSign's list, whatever that may be. With a couple exceptions:

        1) Unlike faceless names like GlobalSign, the person issuing such a list may be someone you actually meet and/or can get to know. So the lower bound of trustworthiness is the same as GlobalSign's, but the upper bound is unlimited.

        2) The assertions provided by the list's publisher are a little less risky to accept, because the list publisher is claiming less. The list publisher

      • > Why should I trust your list?

        Why should you trust your (browser's) list of CA's?

    • by tokul ( 682258 )

      Come on, browsers need to start treating self signed certificates like they are plain old HTTP, with an icon that can be used to view the fingerprint.

      Will you notice if your bank reverts to self signed certificate? Will other people notice it?

      • by Sloppy ( 14984 )

        The answer to that question is identical to the answer to: "Will you notice if your bank uses plaintext http?" If you think the answer to that question is No, then whatever you use to turn that into not being a problem, will work the same for both approaches.

      • It's all about the UI - will you notice anything if UI does not tell you?

        What if UI didn't tell you that the site is changing from HTTP to HTTPS, would you notice it? What if the browser decided not to show you the address bar at all? Do you know that they are playing with that genius idea? They are really thinking about it!

        Now, what is needed is a good way to show that the site is HTTP or HTTPS with a self signed certificate, and have an easy way to see the fingerprint or it is an HTTPS with a CA (still sh

      • Why should who signed the certificate make any difference? SSL should be only for establishing a secure channel between the two parties, not identification. For that we have DNSSEC.

    • I don't think the distributed lists is a good idea. Just stick to distributed verification / SSL notaries.

      • Well, in a marketplace of ideas any idea has the right to exist. I don't see why lists cannot be implemented, tried and tested if anybody cares to try of-course.

        But you are not providing any reasoning to your statement. Why are distributed lists not a good idea? If the lists are distributed, time stamped and hash keys are created, hash keys are distributed and lists have expiration dates. The site operators would have to verify the lists out there periodically. Maybe torrent like way to distribute lists.

        Com

        • The problem with spreading lists around is that it requires creating another messy system that requires trust in some authority - the one compiling the list. The same way someone could intercept the website serving your Linux distros and give you an infected one, with a matching hash so it still looks A-OK, someone could intercept the list and the corresponding hash. It's a lighter version of the same kind of mess we've had with CAs.

          Using torrents to distribute the list would at least prevent sabotage, if t

    • by arose ( 644256 )
      Yeah, yeah, and for convenience, let's sign these lists with a set of high level keys and distribute them along the software used to check it. Sounds like a good plan, have you proposed it to browser vendors yet? I'm sure they aren't doing anything remotely like that.
  • steps to securing a CA.
    1- unplug CA from network.
    2- done.

    If your CA is accessible via a network you sure not be running a trusted CA.
    • by Anonymous Coward

      Uh, I see a minor flaw in your plan. Think it over a for a bit, I'm sure it'll come to you.

  • From http://pastebin.com/85WV10EL [pastebin.com]

    He mentions GlobalSign. I'm assuming DigiNotar is not in one four remaining? StartCom dodged this mess (good for Eddy!).

    So there are possibly 3 more CAs that have been compromised. Which ones?

    I do find it interesting that the fellow is going after the Dutch government for the Srebrenica event. I wonder what he has in store for the Serbian government?

  • All this shows that you cannot put a for-profit company in charge of data security for the entire world. Things are bound to get ugly. These people are either pathetic or criminal, and in either case they are into their business because of the money, not because they care about the mission they have been trusted with. The amount of damage they can inflict to individuals, governments, and companies is immense. Somehow we must have strict international regulations about how the issuing of certificates is hand
  • I just got an update for Ubuntu's xulrunner (a part of firefox) that labels all DigiNotar certs as untrusted.

    The shunning of DigiNotar is beginning. As it should.

    Anyone know how I can label all DigiNotar certs bad in Chrome or similar?

    --
    BMO

    • by bmo ( 77928 )

      I said:

      >Anyone know how I can label all DigiNotar certs bad in Chrome or similar?

      Follow up.

      In Chrome.

      >Preferences
      >Under the hood
      >SSL
      >scroll down until you see DigiNotar
      >click Edit
      >uncheck "trust this for...."

      Done.

  • On a somewhat related point. How many IT Admins believe the various symantec, mcafee, whatever virus protection software in and of themselves excel at preventing new viruses from infecting computers. Raise your hand. In a security conference I just attended when asked that question literally no one in the room raised their hand.
  • Anyone with any guidance on WHAT happened? If the CA authority has suspicions, they should be as open as possible about it. We don't know what happened and I NEED to know (as I have people here that deal with sensitive projects and often travel into areas that have shown to be hostile towards privacy).

Keep up the good work! But please don't ask me to help.

Working...