Slashdot Mirror

← Back to Stories (view on slashdot.org)

GlobalSign Suspends Issuance of SSL Certificates

Posted by Unknown on from the trust-no-one dept.

Joining the ranks of accepted submitters, realxmp writes "The BBC is reporting that GlobalSign has stopped issuing certificates because of yet another suspected CA security breach. This was in response to a post on the ComodoHacker paste bin, claiming that this and several other CA's have also been compromised." No word yet on whether they were actually compromised.

3 of 111 comments (clear)

  1. Self Signed Certificates by roman_mir · · Score: 4, Interesting

    Self Signed Certificates.

    This is what I have been talking about for years and years now. Years and years, and I am on the topic of browsers treating self signed certificates worse than viruses and there are still people disagreeing.

    Come on, browsers need to start treating self signed certificates like they are plain old HTTP, with an icon that can be used to view the fingerprint.

    That would be a GOOD START. Then start distributing lists of sites to fingerprints, maybe even public certificates, have time stamps and have the site operators cross check the fingerprints in those lists. Have an architecture to verify one list against another dynamically. Have verified lists that are hash signed, have hash keys for lists being distributed. I don't know, there could be all sorts of things done, but instead we are still relying on the centralized signing authority that didn't actually earn any trust. I don't trust any CA, why does anybody trust any CA?

    --
    You can't handle the truth.
  2. Re:At some point by HermMunster · · Score: 3, Interesting

    The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.

    I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant. And, they were. The purpose of those thefts is to act as a man-in-the-middle to fool the Iranian citizens into thinking that they were speaking with these social and search sites as if they were the original. SSL is the foundation of secure communication over the internet. Browsers use those to verify a site is the actual site. Acting as a man in the middle with a seemingly valid certificate can fool your population into believing you are Google, and hence they can read your mail, watch your searches, check out what you say, and even find out where you are. Iran could easily put up a fake Firefox/Google/Microsoft site and then substitute their own browser that still accepts the certificates.

    If GlobalSign is ceasing certificate issuance because of pastebin maybe it is appropriate for now.

    My opinion still stands. That pastebin reference was either some fool confessing to every murder and crime on the planet, or it was Iran spoofing the general world public trying to build doubt, thus making it less likely that there'll be major backlash by the governments of the world.

    Certificate forgery (by stealing them from legit sources) is really bad for the internet. Seriously bad.

    --
    You can lead a man with reason but you can't make him think.
  3. Re:Chain effect by vlm · · Score: 2, Interesting

    3. Watch as they scramble in panic

    I think this is not just casual LOL type watching, but scientifically carefully studying the reaction to a semi-credible threat, to figure out how to work around their reaction in a future (real?) event.

    How has the collapse of diginotaurus or whatever affected other CAs response?

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger