Yet another web authentication authority has been attacked by hackers intent on minting counterfeit certificates that would allow them to spoof the authenticated pages of high-profile sites. Israel-based StartCom, which operates StartSSL, suffered a security breach that occurred last Wednesday, the company said in a tersely …
These are not weaknesses in SSL/TLS
They are weaknesses in the current PKI. And yes, the PKI is thoroughly broken. There are too many vendors supported by default in all the browsers, virtually guaranteeing that at least one is vulnerable to some sort of attack.
Perhaps the browser makers should perform a thorough audit of each authority before allowing it in?
Or perhaps it's time for some other clever PKI scheme... not a clue how you'd go about making a better one though. There must be a way!
Another one bites the dust
After the Comodo root CA certs (which blatantly fail to provide a CRL with any revoked cert whatsoever), now another pre-trusted root CA needs to be manually disabled or better set to untrusted in all your SSL keystores (OS, Browsers, Mobile devices.) - at least if you still fancy the delusion that SSL could be used to secure anything at all.
Glad to hear they had it covered though, including the private key not plumbed in.
Good job StartSSL
Looks like their security was properly layered.
Not sure why they've stopped taking new orders though? Fixing the attack vector?
I'm going to have to do another year with rip-off Verisign unless they're back up in a few days.
Who else offers class 2 certificates at a sensible price?
IE, FF, Chrome: drop trust for this authority... permanently! Seriously, that is their only job, if they can't protect themselves, what are they good for? Also, why does everything trust 50-100 different authorities?
If you think anyone's immune to being hacked, you're:
c) being lied to
d) all of the above
The attackers managed to create dodgy certs. These have now been invalidated.
All existing certs were protected. Layers of security = good. As we've seen recently, when most companies have a security failure, every system falls like dominoes.
Do you work for Verisign?
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Did a date calculation bug just cost hard-up Co-op Bank £110m?