Certificate authority GlobalSign finds no evidence of rogue certificates
GlobalSign has confirmed that it has found no evidence of any rogue certificates being issued or any compromise of its CA infrastructure.
In a security incident report, GlobalSign confirmed that it had not found any evidence of rogue certificates being issued or customer data being exposed. It also said that there was no evidence of a compromise of its root certificate keys and associated hardware security modules (HSMs), issuing authorities and associated HSMS or registration authority (RA) services.
As reported by SC Magazine in September, in the wake of the DigiNotar and Comodo hacker saying that he had access to four other CAs, GlobalSign said that it was temporarily ceasing issuance of all certificates until an investigation was complete and that it took "this claim very seriously and is currently investigating".
GlobalSign did confirm that a peripheral web server, which was not part of the certificate issuance infrastructure but was hosting public-facing web property, was breached. It also said that publicly available HTML pages, PDFs, SSL certificates and keys issued to GlobalSign's website could have been exposed.
It also deemed that SSL certificates and key for the GlobalSign website were deemed to have been compromised and were revoked.
This led it to cease issuing new certificates for nine days between 6 and 15 September and, during the outage, GlobalSign contracted Fox-IT to provide third-party analysis of the GlobalSign infrastructure. Fox-IT was also retained by the Dutch government as part of the ongoing Comodo hacker criminal investigation.
GlobalSign also contracted Cyber Security Japan to oversee the rebuild of a newly hardened certificate issuance infrastructure, on the (now disproved) assumption that previous infrastructure had been breached.
To protect against future attacks, GlobalSign has implemented additional controls around infrastructure, customer data protection and access to all systems.
“It is our view that this attack is one phase of an advanced persistent threat against all security solution providers. Because the threat landscape has evolved, GlobalSign believes greater controls are necessary across the industry and echoes the calls covered in WebTrust 2.0 and the recent updates to the Mozilla Root CA acceptance programme,” a statement said.
“The executive team apologises sincerely for the inconvenience caused when undertaking such an important decision. However the organisation stands by the decision and maintain that the ultimate duty of care for GlobalSign, like all responsible CAs, is to avoid issuance of rogue certificates.
“We are truly thankful for the positive reaction to our chosen response to the incident, including the press covering this and other incidents, our peers and ultimately from our valued customers and partners.
“Finally, we also support ongoing co-operation between the security providers, CAs and the various global authorities in sharing threat information promptly and accurately.”