GlobalSign stops issuing SSL certificates in response to Iranian hacker

Filed Under: Featured, Vulnerability

Warning, breach aheadEarlier today a person calling himself ComodoHacker made a submission to text posting site Pastebin.com. Similar to a previous post by ComodoHacker it is fair to call it a bit of a bragging rant.

Last March ComodoHacker claimed responsibility for the first attack against a certificate authority that resulted in bogus SSL certificates being issued in the wild.

In addition to claiming his attacks are far more sophisticated than Stuxnet and distancing himself from the Iranian government, he also claims to have compromised four other certificate authorities, including GlobalSign.

GlobalSign logoGlobalSign, the fifth largest certificate issuer according to NetCraft, responded to this news by immediately ceasing any further signing of certificates while they investigate.

Their response is interesting. While we don't know if they have been compromised (and arguably, neither do they) they are making a tough choice that is what we should expect from organizations whose business models rely on trust.

It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution.

That's great news. Let's hope that the accusations are false and everything is safe and secure at GlobalSign and the other three unnamed victims.

While I have argued for a long time that the certificate system is fragile and arguably broken, I'd rather not have two examples in one week to support my arguments.

, , , , , ,

You might like

5 Responses to GlobalSign stops issuing SSL certificates in response to Iranian hacker

  1. Josiph · 1049 days ago

    With the whole SSL breach, and the fact that everyone seems to be data mining visits and searches, why does https://nakedsecurity.sophos.com return:

    "nakedsecurity.sophos.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    *.wordpress.com , wordpress.com

    (Error code: ssl_error_bad_cert_domain)"?

    • Paul Ducklin · 1044 days ago

      That's a tricky one.

      If you do the DNS lookups, you'll see that nakedsecurity.sophos.com is just a CNAME to sophosnews.wordpress.com - we're hosted by WordPress.com VIP - and that's why the certificate says "*.wordpress.com".

      If you start at https://sophosnews.wordpress.com/ then the certificate will match.

  2. Kevin Beaumont · 1049 days ago

    The bigger claim pretty much everybody has missed (so far) is that he has certificates to sign Windows Update packages. Pretty much every Windows PC out there has Windows Update enabled (it's enabled by default since Windows XP SP2, in 2004) - and the only thing which authenticates updates is code signing. Considering this guy managed to get *.Google.com certification with code signing in the certificate - uhm!

  3. Farid · 1048 days ago

    After conclusive evidence have surfaced which proved the fraudulent certs were used almost exclusively against Iranian citizens, I am surprised to see there are still security experts who refer to the culprit as some random egotistic Iranian hacker who is "distancing himself from the Iranian government" and thus help the real culprit evade the blame.

  4. Mehdi · 1043 days ago

    Although it's better to work on this crappy certificate mechanism, it's useful to know that there is a rich, wealthy hacker named Iranian government. Don't be fool to think that this guy did it alone.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.