June 21, 2011, 4:12AM
CA StartSSL Compromised, But Says Certificates Not Affected
Comment 
A certification authority called StartSSL was attacked and compromised recently and forced to suspend the issuance of SSL certificates indefinitely. However, unlike earlier attacks on CAs such as Comodo, the attackers were not able to gain access to the material necessary to issue themselves valid certificates for arbitrary domains.
The attack on StartSSL occurred on June 15 and the company posted a short statement on its site saying that it had suffered a security breach, but stressing that the certificates issued to its existing customers were not compromised and visitors to those sites were not affected. What's not clear is exactly what the attackers were able to access and how that affects the company's ability to issue certificates in the future.
"Due to a security breach that occurred at the 15th of June, issuance of digital certificates and related services has been suspended. Our services will remain offline until further notice," the statement on StartSSL's site reads. "Subscribers and holders of valid certificates are not affected in any form. Visitors to web sites and other parties relying on valid certificates are not affected. We apologize for the temporary inconvenience and thank you for your understanding."
A separate notice on another part of the company's site says that its services would be unavailable until June 20, which was Monday. StartSSL is operated by StartCom Ltd., a company based in Los Angeles.
Editor's Pick
The attack on StartSSL follows earlier attacks on other CAs this year, most notably Comodo, which was compromised in March by attackers who were able to issue themselves valid certificates for several high-value domains, including Google, Yahoo and Skype. That attack caused a major uproar in the security community about the lack of serious security in the worldwide CA infrastructure.
Certificates issued by StartSSL are trusted by default by the major browsers, including Firefox and Internet Explorer. The company stressed that certificates that are already in use are not affected by the compromise.
Commenting on this Article is closed.
Today's Most Popular
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Why Google Won't Protect You From Big Brother
- Dear Jailbreaker, Apple Wants to Have a Word with You
Most Commented Stories
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (8)
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (7)
-
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you (3)
-
Why Google Won't Protect You From Big Brother (2)
-
Dear Jailbreaker, Apple Wants to Have a Word with You (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 62
Follow Threatpost
 |  |  |  |
| Tumblr |
