GlobalSign, a Belgium-based SSL certificate provider that temporarily halted its systems following evidence that an intruder had entered its systems, issued a report this week, explaining that an extensive investigation turned up no evidence of a compromise of its digital certificates.
GlobalSign said investigators uncovered a compromised Web server that was not part of its certificate issuance infrastructure. The investigation ruled out any potential of rogue SSL certificates. The certificate authority’s root certificate keys, hardware security modules and customer data remained segmented on its own network, keeping the sensitive data locked down, according to the GlobalSign CA breach incident report, issued Tuesday.
“GlobalSign has implemented additional controls around infrastructure, customer data protection and access to all systems,” the company said. “We appreciate that the threat has evolved, and we are committed to ensuring no such outages occur again from future claims or attacks. In the period since the claims, we have invested significantly in additional security measures and monitoring.”
The certificate authority temporarily shut down its servers Sept. 6 following the high-profile DigiNotar CA breach. In a Web forum, a hacker claimed responsibility for the DIgiNotar breach and the Comodo reseller breaches, and said GlobalSign was also successfully penetrated. While investigators analyzed the GlobalSign’s systems, the company said it invested in additional security measures, rebuilding a newly hardened certificate issuance infrastructure. The servers were brought back online Sept. 15.
The company said it also added an additional intrusion detection system to monitor its certificate services and further hardened all Internet-facing systems. Internal controls to certificate issuance systems were also improved, GlobalSign said.
In the GlobalSign report, the company advocates that CAs and security providers self-regulate to improve security around the CA infrastructure. The company called for increased transparency and said all CAs must swiftly take appropriate measures to mitigate the impact of a successful breach. When breach investigations are conducted, CAs should work to ensure that “incident responses are open and transparent, allowing relying parties the visibility into the risks they may be exposed to.”
“Because the threat landscape has evolved, GlobalSign believes greater controls are necessary across the industry and echoes the calls covered in WebTrust 2.0 and the recent updates to the Mozilla Root CA acceptance program,” the company said.
Experts said the certificate authority breaches shined a light on the weaknesses in the digital certificate system. VeriSign and Comodo are the largest issuers of digital certificates. GlobalSign is one of hundreds of others, including CyberTrust and RapidSSL, which offer CA services.
“If all certificate authorities cared about the integrity of the system the way GlobalSign has, we would have a lot less to worry about when using SSL/TLS,” wrote Chester Wisniewski a senior security advisor at U.K.-based Sophos in the Sophos Naked Security blog. “The problem isn't with GlobalSign, the problem is that we expect the other 600+ signing authorities to behave in a similar manner.”
A number of alternative certificate authority architectures have been proposed. Perspectives Project is a notary system that monitors the SSL certificates without relying on certificate authorities. Another project, Convergence, is being developed by noted security researcher Moxie Marlinspike.
“If I were a certificate authority facing the angry security mob demanding they be made redundant, I would be getting behind one of these alternative proposals that still sees value in their participation,” Wisniewski wrote.