Web authentication authority suffers security breach
Yet another web authentication authority has been attacked by hackers intent on minting counterfeit certificates that would allow them to spoof the authenticated pages of high-profile sites. Israel-based StartCom, which operates StartSSL, suffered a security breach that occurred last Wednesday, the company said in a tersely …
This topic is closed for new posts.
These are not weaknesses in SSL/TLS
They are weaknesses in the current PKI. And yes, the PKI is thoroughly broken. There are too many vendors supported by default in all the browsers, virtually guaranteeing that at least one is vulnerable to some sort of attack.
Perhaps the browser makers should perform a thorough audit of each authority before allowing it in?
Or perhaps it's time for some other clever PKI scheme... not a clue how you'd go about making a better one though. There must be a way!
Another one bites the dust
After the Comodo root CA certs (which blatantly fail to provide a CRL with any revoked cert whatsoever), now another pre-trusted root CA needs to be manually disabled or better set to untrusted in all your SSL keystores (OS, Browsers, Mobile devices.) - at least if you still fancy the delusion that SSL could be used to secure anything at all.
Oopsie
Glad to hear they had it covered though, including the private key not plumbed in.
Good job StartSSL
Looks like their security was properly layered.
Not sure why they've stopped taking new orders though? Fixing the attack vector?
I'm going to have to do another year with rip-off Verisign unless they're back up in a few days.
Who else offers class 2 certificates at a sensible price?
Easy fix
IE, FF, Chrome: drop trust for this authority... permanently! Seriously, that is their only job, if they can't protect themselves, what are they good for? Also, why does everything trust 50-100 different authorities?
@VoodooTrucker
If you think anyone's immune to being hacked, you're:
a) naive
b) foolish
c) being lied to
d) all of the above
The attackers managed to create dodgy certs. These have now been invalidated.
All existing certs were protected. Layers of security = good. As we've seen recently, when most companies have a security failure, every system falls like dominoes.
Do you work for Verisign?
This topic is closed for new posts.
