Feeds

back to article Web authentication authority suffers security breach

Yet another web authentication authority has been attacked by hackers intent on minting counterfeit certificates that would allow them to spoof the authenticated pages of high-profile sites. Israel-based StartCom, which operates StartSSL, suffered a security breach that occurred last Wednesday, the company said in a tersely …

COMMENTS

This topic is closed for new posts.
Silver badge
WTF?

These are not weaknesses in SSL/TLS

They are weaknesses in the current PKI. And yes, the PKI is thoroughly broken. There are too many vendors supported by default in all the browsers, virtually guaranteeing that at least one is vulnerable to some sort of attack.

Perhaps the browser makers should perform a thorough audit of each authority before allowing it in?

Or perhaps it's time for some other clever PKI scheme... not a clue how you'd go about making a better one though. There must be a way!

2
0
FAIL

Another one bites the dust

After the Comodo root CA certs (which blatantly fail to provide a CRL with any revoked cert whatsoever), now another pre-trusted root CA needs to be manually disabled or better set to untrusted in all your SSL keystores (OS, Browsers, Mobile devices.) - at least if you still fancy the delusion that SSL could be used to secure anything at all.

0
0

Oopsie

Glad to hear they had it covered though, including the private key not plumbed in.

0
0
Anonymous Coward

Good job StartSSL

Looks like their security was properly layered.

Not sure why they've stopped taking new orders though? Fixing the attack vector?

I'm going to have to do another year with rip-off Verisign unless they're back up in a few days.

Who else offers class 2 certificates at a sensible price?

0
0
Linux

Easy fix

IE, FF, Chrome: drop trust for this authority... permanently! Seriously, that is their only job, if they can't protect themselves, what are they good for? Also, why does everything trust 50-100 different authorities?

0
2
Anonymous Coward

@VoodooTrucker

If you think anyone's immune to being hacked, you're:

a) naive

b) foolish

c) being lied to

d) all of the above

The attackers managed to create dodgy certs. These have now been invalidated.

All existing certs were protected. Layers of security = good. As we've seen recently, when most companies have a security failure, every system falls like dominoes.

Do you work for Verisign?

1
0
This topic is closed for new posts.