Breach confirmed in GlobalSign, SSL certificates not compromised
GlobalSign said on Tuesday that the SSL certificate and key for www.globalsign.com may have been exposed after a hack on an external server in September. However, the company said that after investigating the breach it has found no evidence of rogue certificates being issued following the hack.
A hacker known as "Comodohacker" compromised other certificate authorities including Comodo and DigiNotar. "I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain," the hacker said in a Pastebin at the time. The investigation revealed that the compromise was limited to a peripheral Web server hosting the CA's website and did not affect the part of its network that deals with digital certificates.
Companies use digital certificates as a cryptographic online trust technology. A stolen digital certificate can allow someone, for example, to set up a website posing as an organisation and fool people into interacting with the site, with the aim of gaining sensitive financial information or passwords. The bogus site will appear to be real to search engines.The certificate authority GlobalSign has a number of large organisations as customers, including the BBC, BT, Fujitsu Siemens, the NHS, Toshiba and Vodafone.
The hacker only obtained access to publicly available HTML pages, PDF files and the key used to issue SSL certificates for the www.globalsign.com domain, which was subsequently revoked. "The www.globalsign.com domain is used only for the externally facing North American web sites and runs no web applications capable of requesting or issuing Certificates nor does it hold any customer data," GlobalSign said in a new security incident report published on its website.
Over 500 certificates were believed to have been stolen, affecting users of Facebook, Twitter, and even Microsoft's Windows Update service. State intelligence services from Israel's Mossad, Britain's MI6, and the United States' CIA were also left vulnerable to the incident.