GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack.
The company, which is one of the larger CAs in the world, has been investigating claims by the Comodohacker that he has penetrated the GlobalSign CA infrastructure. It has retained Fox-IT, the same company that did the forensics of DigiNotar’s systems in the wake of its attack, and GlobalSign has suspended its issuance of digital certificates until at least Monday while it finishes the investigation.
However, the company said on Friday that it had not found any direct evidence of a breach of its certificate authority systems.
“Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues,” the GlobalSign statement said.
The attacker who claims to have performed the DigiNotar intrusion has said that he also compromised four other high-profile CAs, naming GlobalSign as one of them. He has not named the other three publicly, but in the aftermath of the attack, Mozilla has asked all of the CAs in the Firefox trusted root program to perform detailed audits of their PKIs, ensure two-factor authentication is in place on systems that issue certificates and take other security precautions.
GlobalSign has said that it plans to bring some of its CA services back online on Monday. The fact that no evidence of a breach has been found so far clearly doesn’t rule out the possibility that the attacker did indeed compromise the GlobalSign CA, but just means that the investigation hasn’t turned up concrete evidence of an intrusion.
In a message posted to his Pastebin page this week, Comodohacker said “GlobalSign (I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain.”