GlobalSign Says Website Breach Didn't Affect Its CA Infrastructure

Certificate Authority (CA) GlobalSign concluded that a security breach that affected its website earlier this year did not result in rogue digital certificates being issued or customer data being exposed.

The company launched an internal investigation back in September after the hacker responsible for breaking into Certificate Authorities Comodo and DigiNotar, claimed to have compromised a GlobalSign server.

"I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain," the hacker said in an announcement on Pastebin at the time.

GlobalSign temporarily suspended the issuing of new digital certificates as a precaution and contracted Dutch security firm Fox-IT to perform a security audit of its network.

The investigation revealed that the compromise was limited to a peripheral Web server hosting the CA's website and did not affect the part of its network that deals with digital certificates.

The hacker only obtained access to publicly available HTML pages, PDF files and the key used to issue SSL certificates for the www.globalsign.com domain, which was subsequently revoked.

"The www.globalsign.com domain is used only for the externally facing North American web sites and runs no web applications capable of requesting or issuing Certificates nor does it hold any customer data," GlobalSign said in a new security incident report published on its website.

Even though its Certificate Authority infrastructure was not affected by this breach, the company made significant changes in order to ensure that future attacks won't have more serious consequences.

These involved rebuilding its secure network with new hardware and better internal access controls, installing additional intrusion detection systems and hardening the Internet-facing systems.

Some security experts commended the company for how it handled the security breach. "Not only is the report thorough and convincing, but it appears that GlobalSign took every action, exactly as they should have, both during and after the incident," said Chester Wisniewski, a senior security advisor at Sophos, in a blog post.

"If all certificate authorities cared about the integrity of the system the way GlobalSign has, we would have a lot less to worry about when using SSL/TLS," he added.

Unfortunately that's not the case and compromises like those on Comodo and DigiNotar, which had serious consequences for the security of the Internet Public Key Infrastructure (PKI), made a lot of people skeptical about the reliability of the CA system.

Browser vendors, independent researchers and non-profit organizations have advanced various ideas to strengthen or completely change the way in which digital certificates are issued and validated today.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon