Earlier today a person calling himself ComodoHacker made a submission to text posting site Pastebin.com. Similar to a previous post by ComodoHacker it is fair to call it a bit of a bragging rant.
Last March ComodoHacker claimed responsibility for the first attack against a certificate authority that resulted in bogus SSL certificates being issued in the wild.
In addition to claiming his attacks are far more sophisticated than Stuxnet and distancing himself from the Iranian government, he also claims to have compromised four other certificate authorities, including GlobalSign.
GlobalSign, the fifth largest certificate issuer according to NetCraft, responded to this news by immediately ceasing any further signing of certificates while they investigate.
Their response is interesting. While we don’t know if they have been compromised (and arguably, neither do they) they are making a tough choice that is what we should expect from organizations whose business models rely on trust.
It’s possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution.
That’s great news. Let’s hope that the accusations are false and everything is safe and secure at GlobalSign and the other three unnamed victims.
While I have argued for a long time that the certificate system is fragile and arguably broken, I’d rather not have two examples in one week to support my arguments.