Certification authority reports security breach

Another certification authority has fallen prey to attackers in need of certificates for phishing authentication pages.

The authority in question is StartSSL, operated by StartCom, and according to the short message posted on their site, the breach occurred on the 15th of June.

“Subscribers and holders of valid certificates are not affected in any form. Visitors to web sites and other parties relying on valid certificates are not affected,” it says.

The authority has immediately suspended the issuing of new certificates and has still not resumed services.

The Register reports that Eddy Nigg, StartCom’s CTO and COO, has confirmed that the attackers were looking to issue certificates for a list of websites that’s very similar to those targeted with the Comodo breach (Gmail, Google, Skype, Yahoo and others), but that they failed to do so.

Nigg also pointed out that the attackers haven’t managed to compromise the authority’s private encryption key because it is stored on a computer that isn’t connected to the Internet.