Want CNET to notify you of price drops and the latest stories?

Second firm stops issuing digital certificates

GlobalSign, which provides digital certificates used to authenticate Web sites, says it is investigating Iranian hacker's claim that he compromised the company.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
GlobalSign says it is halting issuance of any digital certificates while it investigates a hacker's claim of a breach.
GlobalSign says it is halting issuance of any digital certificates while it investigates a hacker's claim of a breach. GlobalSign

A second company that provides digital certificates used to authenticate Web sites won't be issuing them while it investigates whether it has been compromised as a hacker has claimed.

A hacker who goes by the alias "Ich Sun" has taken responsibility for a recent breach at Dutch certificate authority DigiNotar that resulted in more than 500 SSL (Secure Sockets Layer) certificates being fraudulently issued, including one that was used to spoof Google.com.

The self-proclaimed Iranian patriot, who was behind a hack on certificate authority Comodo this spring, says he has hacked four or more certificate authorities, including GlobalSign.

GlobalSign said in a statement on its Web site yesterday that it is investigating the matter.

"GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA (certificate authority), we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible," the statement said.

The company also said it had hired Dutch security experts Fox-IT to help with the investigation as "a precautionary measure as we continue to assess the Comodohacker's claims."

Initially, it was suspected that someone working on behalf of the government of Iran had obtained the fake Google.com certificate to access Gmail accounts of Iranian citizens who believed they were connecting to Google over a secured connection.

However, Ichsun said he was protesting the failure of Dutch U.N. security forces to prevent a massacre in Srebrenica 16 years ago. In the Comodo breach, he claimed he was protesting U.S. foreign policy.

The Dutch government has reportedly taken over management of DigiNotar and called for an investigation. To protect Web surfers, the latest versions of Internet Explorer, Google Chrome, and Firefox have revoked trust in all DigiNotar certificates and Microsoft has designated all DigiNotar certificates as untrustworthy and taken other precautions to protect Windows users. DigiNotar spokespeople have not responded to questions via e-mail this week.

In the meantime, mobile Web surfers could still be vulnerable. Google and Apple have not commented on whether they plan to revoke DigiNotar certificates for Android and the iPhone, according to IDG News Service.

A Fox-IT report on the DigiNotar breach provides a timeline of events.
A Fox-IT report on the DigiNotar breach provides a timeline of events. Fox-IT
Fox-IT issued a report on Monday about the DigiNotar breach that concluded that 531 fraudulent certificates had been issued and that the hacker left the same signature that was left in the Comodo breach: Janam Fadaye Rahbar, translates as "I will sacrifice my soul for my leader."

The report cited security failings on the part of DigiNotar, including finding malicious software on the most critical servers, outdated and unpatched software on public Web servers, and lack of antivirus protection on affected servers.

"The network has been severely breached," the report continued. "All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced."

The report, a link to which is included in this blog post along with some analysis of the attack, also speculates as to the motive.

"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," the report concluded.

Updated 3:29 p.m. PT with details from Fox-IT report on the DigiNotar breach.