GlobalSign stops issuing SSL certificates in response to Iranian hacker

Filed Under: Featured, Vulnerability

Warning, breach aheadEarlier today a person calling himself ComodoHacker made a submission to text posting site Similar to a previous post by ComodoHacker it is fair to call it a bit of a bragging rant.

Last March ComodoHacker claimed responsibility for the first attack against a certificate authority that resulted in bogus SSL certificates being issued in the wild.

In addition to claiming his attacks are far more sophisticated than Stuxnet and distancing himself from the Iranian government, he also claims to have compromised four other certificate authorities, including GlobalSign.

GlobalSign logoGlobalSign, the fifth largest certificate issuer according to NetCraft, responded to this news by immediately ceasing any further signing of certificates while they investigate.

Their response is interesting. While we don't know if they have been compromised (and arguably, neither do they) they are making a tough choice that is what we should expect from organizations whose business models rely on trust.

It's possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution.

That's great news. Let's hope that the accusations are false and everything is safe and secure at GlobalSign and the other three unnamed victims.

While I have argued for a long time that the certificate system is fragile and arguably broken, I'd rather not have two examples in one week to support my arguments.

, , , , , ,

You might like

5 Responses to GlobalSign stops issuing SSL certificates in response to Iranian hacker

  1. Josiph · 1493 days ago

    With the whole SSL breach, and the fact that everyone seems to be data mining visits and searches, why does return:

    " uses an invalid security certificate.

    The certificate is only valid for the following names:
    * ,

    (Error code: ssl_error_bad_cert_domain)"?

    • Paul Ducklin · 1488 days ago

      That's a tricky one.

      If you do the DNS lookups, you'll see that is just a CNAME to - we're hosted by VIP - and that's why the certificate says "*".

      If you start at then the certificate will match.

  2. Kevin Beaumont · 1493 days ago

    The bigger claim pretty much everybody has missed (so far) is that he has certificates to sign Windows Update packages. Pretty much every Windows PC out there has Windows Update enabled (it's enabled by default since Windows XP SP2, in 2004) - and the only thing which authenticates updates is code signing. Considering this guy managed to get * certification with code signing in the certificate - uhm!

  3. Farid · 1493 days ago

    After conclusive evidence have surfaced which proved the fraudulent certs were used almost exclusively against Iranian citizens, I am surprised to see there are still security experts who refer to the culprit as some random egotistic Iranian hacker who is "distancing himself from the Iranian government" and thus help the real culprit evade the blame.

  4. Mehdi · 1488 days ago

    Although it's better to work on this crappy certificate mechanism, it's useful to know that there is a rich, wealthy hacker named Iranian government. Don't be fool to think that this guy did it alone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at