GlobalSign is still in the process of completing the investigation into whether its certificate authority infrastructure was compromised, but the company on Tuesday was ready to resume some of its operations under “high-threat” conditions.
The company said that it has found evidence that its main Web server was compromised recently, but that there were no indications that its certificate authority systems had been hacked. The hacker who has claimed credit for attacking DigiNotar this summer and Comodo earlier this year has said that he also compromised GlobalSign’s system sometime recently. He said that he has the private key used to sign the GlobalSign domain, however he has not made any specific claims about being able to issue fraudulent certificates from the company’s CA, as he has from the DigiNotar CA servers and Comodo’s.
The hacker, who goes by the name Conodohacker, said that GlobalSign should check one of its servers in Japan that issues demo certificates. GlobalSign responded to that message on Tuesday, saying that the demo certificates are inherently untrusted by browsers and pose no threat to users.
“We would like to address a specific claim relating to ‘demo’ Certificates being ‘issued freely’. Such ‘demo’ Certificates are UNTRUSTED test Certificates and are not part of the publicly trusted GlobalSign PKI. Test Certificates are already untrusted by browsers, essentially identical to untrusted self signed Certificates. Such untrusted Certificates pose no security threat and can be generated by any webserver software or control panel,” GlobalSign said in a statement.
GlobalSign is one of the larger and older CAs in the industry and the prospect of its CA infrastructure having been compromised was an ominous one. In the wake of the DigiNotar attack, Mozilla, Microsoft and Google all revoked their trust in the company’s root certificates, a rare move that shows clearly the seriousness of the breach. The possibility existed of them having to repeat that process with GlobalSign, but it looks now as if that won’t be necessary, unless GlobalSign finds some evidence of a compromise in its CA system.