UPDATE: A day after suspending the issuance of SSL certificates while it investigates claims that its certificate authority infrastructure was compromised, GlobalSign said that the investigation is still ongoing but that it planned to begin bringing some of its services back online on Monday.
GlobalSign is one of four CAs that the attacker who compromised DigiNotar says he also has hacked in recent months. It’s the only one he’s identified by name, and GlobalSign officials said earlier this week that they were investigating the claim and quickly decided to stop issuing certificates as a precaution. The company has hired the same Dutch security firm, Fox-IT, that performed the post-attack audit of DigiNotar’s systems. On Thursday, the company updated its statement about the investigation, saying it planned to begin some services again on Monday, but did not reveal much more detail about what’s happening.
“We will start bringing services back online on Monday. We have
already stated that we deem this to be an industry wide threat due to
the mention of multiple CAs. We are adopting a high threat approach to
bringing services back online and we are working with a number of
organisations to audit the process of bringing the services back online.
We apologise again for the delay.
“We would like to take the opportunity to explain that the
GlobalSign CA root was created offline, and always has been offline.
Any claim of the Comodohacker to holding a private key does not refer to
the GlobalSign offline root CA. The investigation also continues,” GlobalSign said.
The attack on DigiNotar, as bad as it has turned out to be, may end up being just the beginning of a much larger problem if the claims by the attacker, known as Comodohacker, prove to be true. And so far, there’s no reason to doubt anything he’s said, as his claims have proven out regarding both the Comodo attack and the DigiNotar compromise. In a statement on Pastebin posted yesterday, the attacker said that not only had he penetrated GlobalSign’s CA infrastructure, but he also had copies of the company’s database backups and the private key used to sign the certificate for the company’s own domain.
Earlier, he said that in addition to hacking DigiNotar he also had compromised three other CAs, with GlobalSign being the only one that he named. While the other three potential victims remain unidentified, if they are large CAs like GlobalSign, the implications for the industry and the businesses that rely on digital certificates to secure their communications with customers would be ugly.
Microsoft, Google and Mozilla already have had to issue updates that revoked the trust their browsers placed in all of DigiNotar’s root certificates, which effectively renders all of the certificates from those roots invalid for the users of Firefox, Internet Explorer and Chrome. If they end up having to repeat that process with another certificate authority–or two or three–an untold number of sites could be affected. However, it’s less likely that the browser vendors would revoke trust in a major CA such as GlobalSign, given its size and the potential ramifications.
As unusual as the actions by the browser vendors were, the process of revoking trust in DigiNotar’s certificates was handled relatively quickly and smoothly on the user end. It’s somewhat more painful for the sites that need to replace their certificates. But if a CA on the scale of GlobalSign or VeriSign were to face the same sort of compromise that the relatively small DigiNotar has, it would be a much more difficult process.
“Once you’ve issued enough [certificates], the browser vendors won’t
pull your CA cert any more because it would affect too many people,” Peter Gutmann, a researcher in computer science at the University of Auckland, told Threatpost contributor Rob Lemos this week. “This is what saved Comodo. In Diginotar’s case they were
small enough that the browser vendors could pull their certs.”