GlobalSign Suspends Issuance of SSL Certificates

← Back to Stories (view on slashdot.org)

GlobalSign Suspends Issuance of SSL Certificates

Posted by Unknown on Wednesday September 7, 2011 @03:45AM from the trust-no-one dept.

Joining the ranks of accepted submitters, realxmp writes "The BBC is reporting that GlobalSign has stopped issuing certificates because of yet another suspected CA security breach. This was in response to a post on the ComodoHacker paste bin, claiming that this and several other CA's have also been compromised." No word yet on whether they were actually compromised.

15 of 111 comments (clear)

Min score:

Reason:

Sort:

At some point by SlippyToad · 2011-09-07 03:48 · Score: 3, Insightful

You have to wonder if these people are serious about their craft, or just phoning it in. If they are in the security business, you expect they'd at least make a half-assed attempt at securing THEIR OWN BUSINESS.

--
One day I feel I'm ahead of the wheel / the next it's rolling over me / I can get back on / I can get back on
1. Re:At some point by andymadigan · 2011-09-07 04:16 · Score: 2
  
  Selling security is completely different from providing security. Look at TSA for instance, no security provided, but plenty 'sold'. Same with the CAs, their product is a signed certificate which is recognized by browsers, their product is not the security of their own organization. Sure, if they're hacked they'll lose everything, but MBAs think the chance of that happening is so low that it isn't worth it to implement security.
  
  We've also seen what the MBAs will do when a hack does occur - try to keep it a secret for as long as possible. Again, the security of the organization is not the product, just the certificate and some security theater.
  
  --
  The right to protest the State is more sacred than the State.
2. Re:At some point by h4rr4r · 2011-09-07 04:29 · Score: 2
  
  But until yesterday you would not have.
  So they will fold this company and do it all over again. That is much cheaper than ever bothering with security.
3. Re:At some point by HermMunster · 2011-09-07 04:30 · Score: 3, Interesting
  
  The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.
  I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant. And, they were. The purpose of those thefts is to act as a man-in-the-middle to fool the Iranian citizens into thinking that they were speaking with these social and search sites as if they were the original. SSL is the foundation of secure communication over the internet. Browsers use those to verify a site is the actual site. Acting as a man in the middle with a seemingly valid certificate can fool your population into believing you are Google, and hence they can read your mail, watch your searches, check out what you say, and even find out where you are. Iran could easily put up a fake Firefox/Google/Microsoft site and then substitute their own browser that still accepts the certificates.
  If GlobalSign is ceasing certificate issuance because of pastebin maybe it is appropriate for now.
  My opinion still stands. That pastebin reference was either some fool confessing to every murder and crime on the planet, or it was Iran spoofing the general world public trying to build doubt, thus making it less likely that there'll be major backlash by the governments of the world.
  Certificate forgery (by stealing them from legit sources) is really bad for the internet. Seriously bad.
  
  --
  You can lead a man with reason but you can't make him think.
4. Re:At some point by ObsessiveMathsFreak · 2011-09-07 04:42 · Score: 2
  
  These people are not in the security business; They are in the confidence business.
  Like Calvin Klein, and psychic hot-lines, the CA's are not selling a product so much as they are selling "peace of mind". They sell a special pen which companies use to fill in that special website check-box next to the word "Secure connections". That's it.
  There is nothing magical about a CA issued cert. The Certification Authorities neither certify connections, nor have the authority to do so. They host public numbers on their servers and end users must rely solely on the CAs unearned reputation that the connection is in fact a) secure and b) to the right party. There is no guarantee that the connection is actually either and the CA's cannot issue such guarantees or even verify the situation before or after the fact. Not that they would bother too either.
  The CA's certs are best compared to the sale of church indulgences. You pay money, and your encryption sins are forgiven. What sins are those? Well, according to RSA: Chapter 2, verse 7; a self signed cert (while perfectly functional) is a blasphemy against the holy powers and will be punished with eternal damnation unless you repent and fork over a wad of cash to your nearest CA immediately. By the way, bad things can still happen to you because Security works in mysterious ways, but as long as you gave the CA's money, your soul/ass is covered.
  I hope someone at Mozilla is reading this, because the next time I have to click through that irritating little yellow jerk four times just to stop people sniffing my web traffic, I'm switching to Chrome. Hope that doesn't make you spill coffee out of your complementary Verisign mugs fellas.
  
  --
  May the Maths Be with you!
5. Re:At some point by shutdown+-p+now · 2011-09-07 06:05 · Score: 2
  
  The Comodo and Diginotar break-ins and theft were traced to Iran. To me, when I read the pastebin post, I felt it was a cover up bit meant to mislead the general public. Any additional hack thereafter, such as GlobalSign, would simply be to cover up their actions.
  I'm not talking about hiding the activity, but to make it seem like Iran wasn't a participant.
  What on the posted PasteBin messages made you think that it's trying to deflect attention from Iran? It seems like the exact opposite to me, if anything. I mean, the very first message from the "ComodoHacker" guy says:
  "Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced terrorist, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you won't be able to do so. as I live, you don't have privacy in internet, you don't have security in digital world, just wait and see..."
Chain effect by Baloroth · 2011-09-07 03:50 · Score: 2

1. Hack one CA
2. Post on pastebin claiming to have hacked more
3. Watch as they scramble in panic
4. ??????
5. Profit?
It seems quite possible that the hacker is just being a total jerk, if they wanted to actually use certs from a company (like they did Diginotar) they wouldn't announce the hack until it was discovered. So most likely they didn't actually pull off the hack.
Unless 4 is "be a rival CA", in which case you do profit. Or if you hacked a different CA and want people to use that company. Which adds a whole layer of conspiracy possibilities on an already conspiracy-laden hack.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
1. Re:Chain effect by vlm · 2011-09-07 04:35 · Score: 2, Interesting
  
  3. Watch as they scramble in panic
  
  I think this is not just casual LOL type watching, but scientifically carefully studying the reaction to a semi-credible threat, to figure out how to work around their reaction in a future (real?) event.
  How has the collapse of diginotaurus or whatever affected other CAs response?
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Personal-interest notes by dcollins · 2011-09-07 03:53 · Score: 3, Insightful

First time accepted submitter (and Slashdot coder) cogent writes...
With his first accepted submission, quantr tips news...
Hitting the mainpage for the first time, Black Sabbath writes...
Debuting on Slashdot, seezer writes with a piece...
Joining the ranks of accepted submitters, realxmp writes...
For god's sake, stop! We care about the news, not the personalities of the posters!

--
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
1. Re:Personal-interest notes by tepples · 2011-09-07 03:57 · Score: 3, Insightful
  
  I guess publicly recognizing that a submitter has for the first time written a submission that meets Slashdot's criteria is a way to increase the likelihood that the submitter will submit news of similar quality in the future.
Self Signed Certificates by roman_mir · 2011-09-07 03:57 · Score: 4, Interesting

Self Signed Certificates.
This is what I have been talking about for years and years now. Years and years, and I am on the topic of browsers treating self signed certificates worse than viruses and there are still people disagreeing.
Come on, browsers need to start treating self signed certificates like they are plain old HTTP, with an icon that can be used to view the fingerprint.
That would be a GOOD START. Then start distributing lists of sites to fingerprints, maybe even public certificates, have time stamps and have the site operators cross check the fingerprints in those lists. Have an architecture to verify one list against another dynamically. Have verified lists that are hash signed, have hash keys for lists being distributed. I don't know, there could be all sorts of things done, but instead we are still relying on the centralized signing authority that didn't actually earn any trust. I don't trust any CA, why does anybody trust any CA?

--
You can't handle the truth.
1. Re:Self Signed Certificates by DarkOx · 2011-09-07 04:04 · Score: 2
  
  So you want to replace the cryptographically secure method of certificate validation and revocation with your own method where anyone can essentially poison the list of thumbprints.
  I agree that self signed certs should be treated like clear text from a security perspective rather than setting off alarm bells but, we still need secure third party identity validation.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
2. Re:Self Signed Certificates by dgatwood · 2011-09-07 04:35 · Score: 2
  
  There's a third choice: display a warning the first time, then permanently accept that cert for that site like ssh does. Then, allow one cert to sign its successor for a couple of years after the cert's expiration (or drop expiration dates entirely, as they don't seem to do much good other than making CAs more profitable) and make the new cert inherit the "always trust for this site" policy from its predecessor.
  With that one change, a self-signed cert would provide nearly the same benefit as a real cert, minus the initial trust on first connection. And even that trust is minimal, given that taking over a domain's admin email accounts (even temporarily) or compromising a CA is enough to get certs. And even in the best case, you're basically going on word-of-mouth trust as to whether you trust the actual owners of the site to be a legitimate business.
  In some ways, the ssh style actually provides more security than the current trust model because an attacker can't get a new key from an arbitrary (compromised or crooked) CA.
  Safari already provides some of this if you know to check the checkbox ("always trust this cert for this site", emphasis mine). Other browsers may do this as well; I haven't tried it. However, to my knowledge, nobody provides trust chaining with expired self-signed certs, nor automatic inheritance of the "always trust for this site" policy, which turns out to be a critical part of the story after the first cert expires.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:Self Signed Certificates by vlm · 2011-09-07 04:37 · Score: 2
  
  Untrusted CAs aren't included in the web browser
  Insert simpsons voice "ha ha". The whole point is that is just not so.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
4. Re:Self Signed Certificates by roman_mir · 2011-09-07 05:23 · Score: 2
  
  It's all about the UI - will you notice anything if UI does not tell you?
  What if UI didn't tell you that the site is changing from HTTP to HTTPS, would you notice it? What if the browser decided not to show you the address bar at all? Do you know that they are playing with that genius idea? They are really thinking about it!
  Now, what is needed is a good way to show that the site is HTTP or HTTPS with a self signed certificate, and have an easy way to see the fingerprint or it is an HTTPS with a CA (still show the fingerprint, why not?)
  However I would like it to go further and I would like to see browsers using distributed lists of fingerprints/public certificates/hash keys for the lists, all of this done in a way that allows browser to load multiple lists from different unrelated sources, maybe even some form of 'torrent' for the fingerprint lists. Also maybe a standard to check for fingerprint for a site from the site as well.
  Obviously the site operators have to manage their security actively, which includes actively checking the lists that are all over the web to make sure nobody is poisoning them (and this is what signature hash keys for lists are for, with time stamps and possibly with expiration dates).
  How about expiration dates on fingerprint lists?
  Any new ideas, as long as it's not relying on centralized signing authority.
  
  --
  You can't handle the truth.