The fifth certificate authority to be hacked this year, StartSSL has suspended issuing its free SSL certificates indefinitely.
StartSSL,
a certification authority offering free SSL certificates, was compromised by
unknown attackers earlier this month. The company has suspended issuing
security certificates for Websites as a "defensive measure."
Attackers
hit StartSSL on June 15, and the company suspended issuing SSL certificates
indefinitely, according to a short statement on the site. Secure Sockets Layer
is used by Websites around the world as a trust mechanism to convince the Web
browser the site the user is accessing is the authentic version and not a
counterfeit one. Certificates that have already been issued to customers were
not compromised, and visitors to those sites are not affected, according to the
statement.
Unlike
the attacks on Comodo and other certificate authorities, these attackers did
not gain enough access to issue valid certificates for arbitrary domains to
themselves, StartSSL said. The attackers were also unsuccessful in generating
an intermediate certificate that would allow them to act as their own
certificate authority, The Register reported.
"Due
to a security breach that occurred at the 15th of June, issuance of digital
certificates and related services has been suspended. Our services will remain
offline until further notice," StartSSL said.
It's
not clear what the attackers were able to access, nor what it means for the
company's ability to continue issuing certificates in the future.
"Our
services will be gradually reinstated as the situation allows," the
company said on the site. The message was still on the site as of June 22.
The
company stressed that existing certificates were not compromised. More than 25,000
Websites use certificates issued by StartSSL, according to Paul Mutton, a
security researcher with British security firm Netcraft.
StartSSL
offers one-year free domain validated SSL certificates as well as other
organization and extended validation certificates. AffirmTrust offers
three-year domain validated SSL certificates for free.
The
StartSSL attack follows earlier
attacks on other certificate authorities and is the fifth one this year.
Root certificate authority Comodo
was compromised in March when an attacker breached a reseller's system and
received several valid certificates for major domains. Certificates for seven
addresses were forged, including Google mail, www.google.com, login.yahoo.com,
login.skype.com, addons.mozilla.com and Microsoft's login.live.com.
Comodo
detected the problem almost immediately and revoked the certificates before
they could be used. Microsoft, Mozilla and Google
pushed out updates to blacklist those certificates, but it still took a few
days. Apple took much longer to update
Safari.
StartSSL
certificates are accepted by default by most major browsers, including Google
Chrome, Mozilla Firefox and Internet Explorer. Once a certificate authority's
root certificate is included within a browser, it can validate hundreds of
thousands of individual Websites, making it impractical to remove the
compromised authority from the browser entirely.
The
attackers were after valid certificates for a list of Websites similar to those
targeted by the Comodo attacker, Eddy Nigg, CTO and COO of StartSSL's parent
company StartCom, told The Register. The attack did not succeed because the
authority's private encryption key was stored on a computer that isn't
connected to the Internet, Nigg said.
The
incident highlighted the lack of security in the worldwide certificate
authority structure. There were too many authorities and the system was not
being implemented as designed, James Lyne, director of technology strategy at
Sophos, told eWEEK. SSL no longer provides meaningful security, since users can
just ignore the warning that a site has an invalid certificate and proceed to a
Website, Lyne said.
Email
Print
