GlobalSign – the CA that has been named by the Comodohacker as also compromised and has stopped issuing certificates until it finished investigating these claims – has revealed that only the web server hosting its site has been compromised.
The CA has retained the services of Fox IT, the same security audit firm that investigates the DigiNotar breach, and the audit of its infrastructure revealed that all of its other servers show no evidence of compromise.
“The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” it said. “As an additional precaution, we continue to monitor all activity to all services closely.”
Previously, the company has claimed that its CA root was created offline, and has always been offline. “Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA,” it said.
It has also announced that it plans to bring some of its services back online on Monday during a sequenced startup, but that customers might not be able to process orders until Tuesday morning. The reactivation process will be executed with the help of the Cyber Defense Institute Japan.
“All forensics are being shared with the authorities and other CAs to assist with their own investigations into other potentially related attacks,” it added.
I must say that the way that GlobalSign handled this situation could be used as a good example for all CAs.
In the meantime, Apple has finally released a security update for Mac OS X Snow Leopard and Lion, which has modified the trust system configuration and has made all certificates issued by DigiNotar or in its name untrusted.