GlobalSign, the certificate authority that the attacker who compromised Comodo and DigitNotar claimed he had infiltrated as well, said it has completed its months-long security review and found no evidence that its CA infrastructure was compromised or that any rogue certificates had been issued. The investigation did confirm that the company’s public Web server had been compromised, and GlobalSign decided to revoke its own SSL certificate and key.
After the attacker who goes by the name of Comodohacker claimed in September that he had compromised GlobalSign, the company began an investigation and temporarily stopped issuing digital certificates. The company restarted its CA operations shortly thereafter, but continued the investigation once it discovered the breach of its Web server.
Here is what the company’s investigation did not find any evidence of:
- Rogue Certificates issued.
- Customer data exposed.
- Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
- Compromised GlobalSign Certificate Authority (CA) infrastructure.
- Compromised GlobalSign Issuing Authorities and associated HSMs.
- Compromised GlobalSign Registration Authority (RA) services.
The GlobalSign incident report says that while the company didn’t find any evidence of an intrusion in its CA infrastructure or certificate-issuance system, it considers the attack to be part of an ongoing series of such attacks on CAs and other critical pieces of the Internet’s infrastructure.
“GlobalSign, with the help of Fox-IT, found no evidence that the GlobalSign Certificate issuance infrastructure was compromised. However, GlobalSign has implemented additional controls around infrastructure, customer data protection and access to all systems. It is our view that this attack is one phase of an advanced persistent threat against all security solution providers. Because the threat landscape has evolved, GlobalSign believes greater controls are necessary across the industry and echoes the calls covered in WebTrust 2.0 and the recent updates to the Mozilla Root CA acceptance program,” the company’s report says.