Slashdot Mirror

← Back to Stories (view on slashdot.org)

GlobalSign Web Server Hacked, But Not CA

Posted by timothy on from the goes-the-story-thus-far dept.

Trailrunner7 writes "GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack."

24 of 35 comments (clear)

  1. Correction: by Anonymous Coward · · Score: 1

    by the _self claimed_ attacker _supposedly_ responsible for the DigiNotar CA hack**

  2. Hint: Not GlobalSign by sudonim2 · · Score: 2

    Guess who I'm more inclined to believe: an anonymous supossed hacker or a certificate CA?

    1. Re:Hint: Not GlobalSign by Baloroth · · Score: 1

      Well, since the hacker only seems to have claimed (according to TFA) that he got access to their webserver, how about both?

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    2. Re:Hint: Not GlobalSign by shutdown+-p+now · · Score: 1

      If his intent is to cause damage by spreading panic, then it's quite reasonable for him to wait for some time - let folk scramble to fix the problem with DigiNotar first, then he can drop the next bomb on them.

  3. Both have good reasons to lie by nzac · · Score: 3, Interesting

    The hacker who wants some credibility.

    The company who might get their certificates revoked.
    Seriously how hard would you look for the security breach that would destroy the entire company (it appears to be their only product). You can go back later and say you found the breach.

    There is far too much money at stake to trust the company.

  4. They found a compromise... by mysidia · · Score: 3, Informative

    The CA/PKI might not have been invaded yet A compromise of a website can lead to an intruder gaining further access, however.

    Suffice to say... access to a webserver is a foothold that an intruder can attempt to leverage to gain further access. Depending on how robust the further lines of defenses are, and if any security mistakes were made (such as webservers allowed through firewalls to some internal hosts or credentials the intruder can capture that can lead to access to systems closer to back office or CA functions).

    Even a compromise that doesn't result in immediate PKI access may lead to that, through additional successive breaches, and successive social engineering... also known as "Advanced Persistent Threat" (to use the latest lingo for referring to the situation)

    1. Re:They found a compromise... by Anonymous Coward · · Score: 1

      Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs." You're making assumptions about their web infrastructure, what was broken into, and what "break into" means.

    2. Re:They found a compromise... by Lennie · · Score: 1

      Just an example, it can be used to get the cookies/login-information from all the customers.

      --
      New things are always on the horizon
    3. Re:They found a compromise... by devincook · · Score: 1

      Well, another thing they could potentially do is replace the public root certs hosted on the web site with their own... Then anyone who goes looking for that CA's root cert on the site will get the malicious one, opening them up to MITM attacks. Secure key distribution can be difficult.

    4. Re:They found a compromise... by mysidia · · Score: 1

      It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, when the customer downloads it using the website.

      Anyways, some kind of validation e-mail goes out to the domain's administrative contacts for a domain-validated cert. The last step is the customer clicks on a link in the e-mail, which contains a link to guess what? A page on the CA's website.

      So someone who gained illicit access to the website is potentially in a position to snoop on all that traffic, and possibly generate 'false' traffic of that nature some time in the future. Web designers who do some scripting often aren't well versed in software security design -- there's a good chance that scripts on the website have access to backend databases -- possibly sufficient access to create a false customer record or falsify a "domain verification".

      Ummm... Your assuming the website is connected, logically or physically, to their CA infrastructure. Fundamentally what you're saying is true, but so is "someone broke a car in their parking lot so they may be able to issue their own certs."

      If someone broke into a car in the parking lot, there might be a chance they could lie in wait for the PKI admin who owns the car to get in, so they can put a gun to their head, and force them to login using the perp's Wifi-enabled laptop, grab the private keys and divulge the passphrase to unlock them.

    5. Re:They found a compromise... by Dewin · · Score: 2

      It's reasonable to assume the website is logically connected. CAs generally execute their transactions through the website. Especially for domain validated certs, usually the process of issuing a certificate is entirely automatic -- the customer logs in through the website, requests a certificate either by filling out a form or sending in a CSR. If they fill in a form and the CA generates their private key, the person who compromised the website might be able to steal the customer's private key, when the customer downloads it using the website.

      It's been awhile, but I do not believe there is any point in the CSR process where the CA ever gets a copy of your private key.

      --
      Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
    6. Re:They found a compromise... by _Shad0w_ · · Score: 1

      If I had to guess I'd say the front end probably places the incoming CSRs somewhere the actual CA infrastructure can get them - possibly a common database in a DMZ - but there'd never any direct communication between the two, they always go via the passive intermediary.

      --

      Yeah, I had a sig once; I got bored of it.

  5. Realistically by Pop69 · · Score: 2

    They should be assuming their CA is compromised and acting accordingly.

    Any other way of looking at it is stupidity of the highest order

  6. Not CA by andresambrois · · Score: 2

    ..., But Not CA

    For some reason my mind actually read that as "..., But No Cigar". Good Job.

    1. Re:Not CA by Taty'sEyes · · Score: 1

      ..., But Not CA

      For some reason my mind actually read that as "..., But No Cigar". Good Job.

      I read it as, "..., but not California". SMILE

      --
      We show geeks how to get their dream girl at EyesOfOdessa.com
  7. What Style! What Panache! by Anonymous Coward · · Score: 1

    Well then. He certainly sounds like an arrogant prick.

  8. Re:Or simple copy all newly issued certificates? by tepples · · Score: 1

    You can get a copy of the server's public key and the certificates that verify it by just connecting to the server's public IP address on port 443.

  9. Re:Or simple copy all newly issued certificates? by blowdart · · Score: 1

    And that's meaningless. When you submit a certificate signing request to a CA you are sending the public key of the certificate you want validated. The CA performs their checks, then signs that public key and sends it back to you, where you pair it with your private key that has never left your possession and you have a full certificate.

    So copying the certificates wouldn't be a problem, heck that part of the certificate is viewable to any browser.

  10. [citation needed] Re:They found a compromise... by rtfa-troll · · Score: 1

    Some CAs will offer to generate a key pair for you, so you don't have to create a CSR - they send you a private key and a certificate. It is not how x509 is supposed to work, but....

    Interesting; but without a specific list of what you mean by "some CAs" not very useful. Does anyone have a list?

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    1. Re:[citation needed] Re:They found a compromise... by raynet · · Score: 1

      Startssl does this and I recall seeing that feature on couple other CAs too, makes things easier for the random customer as they can just purchase the certificate without hassle with their own IT department. Not that good idea for security though.

      --
      - Raynet --> .
  11. Re:Or simple copy all newly issued certificates? by TheRaven64 · · Score: 1

    Or you could just go to the web sites in question and they will just give you the public keys without needing any hacking!

    More importantly, if you have compromised the web server, then you can upload your own CSR for any of their customers' domains and get a signed certificate back...

    --
    I am TheRaven on Soylent News
  12. Oh, they did their own audit by Legion303 · · Score: 1

    I mean, it's not like they stand to lose their entire business if they were compromised or anything. I'm sure they can be trusted.

  13. Re:Hoooraaaaay! by cffrost · · Score: 1

    - aaaaah, what are you going to do?

    Burn more karma, apparently.

    --
    Thank you, Edward Snowden.

    "Arguments from authority are worthless." —Carl Sagan
  14. Re:Hoooraaaaay! by roman_mir · · Score: 1

    Well, that's pretty stupid moderation.

    --
    You can't handle the truth.