Belgium-based SSL certificate provider GlobalSign has temporarily halted the issuance of digital certificates while it conducts an internal audit of its systems.
The certificate authority is trying to
“GlobalSign takes this claim very seriously and is currently investigating,” the company said in a brief announcement on its website. “As a responsible CA, we have decided to temporarily cease issuance of all certificates until the investigation is complete.”
The claims the hacker made on Pastebin, a software developer website, have been unverified. The hacker also named StartCom Ltd., a free SSL certificate provider.
GlobalSign, which started operations in 1996, was one of the first CAs. The company is currently a subsidiary of GMO Internet Inc.
According to security experts, VeriSign and Comodo are the largest issuers of digital certificates, making up more than half the market. GlobalSign is one of hundreds of others, including CyberTrust and RapidSSL, which offer CA services.
Chester Wisniewski, a senior security consultant with Sophos LLC, called GlobalSign’s reaction responsible, and said the decision to halt issuance of new certificates must have been a tough one. Wisniewski said the current digital certificate system is fragile and needs massive changes to ensure its security and integrity.
“We’re so entrenched in this current CA system which is worth hundreds of millions to these providers,” he said. “There needs to be a conversation about alternatives.”
Two alternatives to the current system are being tested and show promise, Wisniewski said. Perspectives Project is a notary system that monitors the SSL certificates without relying on certificate authorities. The project currently uses a Mozilla Firefox Extension to function in the browser. It is being funded by a grant from the National Science Foundation and is being managed by Carnegie Mellon University. Another project, Convergence, is an offshoot of the Perspectives Project. It is being developed by noted security researcher Moxie Marlinspike and aims to strip away the CA system with a configurable set of notaries that validate a website by checking it from different network locations.