An Ugly Week for Certificate Authorities: DigiNotar, GlobalSign, and ComodoHacker Collide
Certificate Authorities (CAs) make up the backbone of the web of trust for credit card transactions and secure communications between web browsers and web sites. Without this “web of trust” intact, people surfing the web cannot really trust that their credentials, confidential information, and so forth are actually secure when they access as web page. That’s what makes the forged certificates from DigiNotar such a catastrophe and why the response from the certificate world is so heroic.
Such as how GlobalSign has responded to allegations from the hacker that he’d crossed their line of defense.
The story so far: An Iranian hacker with a penchant dislike for local dissidents compromised the servers for DigiNotar, a Certificate Authority, as early as July 2011 and generated forged certificates for the google.com domain (among many others.) The hacker, calling themselves ComodoHacker, then used the forged certificates to sneak in the middle of conversations between Iranian citizens and others by emplacing themselves between Gmail and its users using the forged certificates. After a web user discovered the problem using Google’s Chrome browser and its increased security and sent up a flare, Google rescinded DigiNotar’s authority for their browsers, as did Mozilla, Microsoft, and now even Apple.
An investigation by Fox-IT into what happened revealed huge incompetence DigiNotar’s security protocols and their response to the problem.
How did GlobalSign get involved?
Now, we’ve looked down the barrel of yet another interesting conundrum when ComodoHacker posted a Pastebin.org release that he’d also compromised several other highly-visible CAs and one of those was GlobalSign—the world’s 5th largest CA and issuer of SSL certificates.
GlobalSign swung into action by taking their service offline and withdrawing their authority while they investigated the claim. Obviously, they had no desire to be the next DigiNotar, but they had no clear evidence (aside from the hacker-hype) that they’d been breached. After they called in outside help, it was determined that there was no breach, and now they’re back online again.
Ordinarily, I can see why a certificate authority would have felt justified in totally ignoring the braggadocio of this new hacker; however, they obviously felt that in the light of what happened to DigiNotar they wouldn’t compound their fate by being part of the problem. To everyone’s relief, they’ve come out smelling like roses—the only down side is that they’ve had a week-long suspension of services while they made sure their fences were whole.
What happens to DigiNotar?
So far, nobody trusts them anymore. Multiple large scale corporations who deal with credit-card transactions, many users, and giant communities have blacklisted them. DigiNotar as a Certificate Authority is done for. Apple, Microsoft, Google, Mozilla, and others have removed DigiNotar from the trusted list and that essentially rings the death knell for the CA. Possibly soon Apple, Microsoft, and RIM will likely release updates to their mobile devices that will also revoke those certificates and that will be the last nail in their coffin.
In order to get back in the good graces of the world they’re going to have to show, probably via an outside audit, that their security practices are back up to par. That may take months before any fruit comes from that and there’s no news that they’ve started that process yet.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU