When the self-styled ComodoHacker – who also claimed responsibility for the DigiNotar hack – boasted that he had access to GlobalSign’s “entire server”, database backups, system configuration files and the private key to their Globalsign.com domain, the Certificate Authority reacted in a way that we wish all CAs would in such a situation: they immediately suspended the issuing digital certificates until the investigation revealed whether the claims were true and the process compromised.
Fox IT, the security firm that audited the DigiNotar’s infrastructure after the breach, was also hired by GlobalSign to perform the same actions on their own systems, and finally – after over two months – they issued the results of the investigation.
They say that Fox IT hasn’t find evidence of rogue certificates having been issued or customer data exposed. The Root Certificate keys and associated Hardware Security Modules, the CA infrastructure, the Issuing Authorities and associated HSMs, and the Registration Authority (RA) services were also not compromised.
So what did happen? “A peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached,” they say, which would mean that only publicly available HTML pages and PDFs, and the SSL Certificate and key issued to www.globalsign.com were exposed.
“SSL Certificate and key for www.globalsign.com were deemed compromised and revoked,” they say, and while the investigation went on, the company moved to rebuild a “newly hardened Certificate issuance infrastructure” (for specific and abundant details, see the report).
All this leaves me to reiterate that GlobalSign’s reaction to this whole mess leaves absolutely nothing to be desired, and that its managers deserve a big round of applause. If all CAs were as conscientious as GlobalSign, the CA trust system would work as it should and security professionals would not be clamoring for a replacement for it.