Web authentication authority suffers security breach Yet another web authentication authority has been attacked by hackers intent on minting counterfeit certificates that would allow them to spoof the authenticated pages of high-profile sites. Israel-based StartCom, which operates StartSSL, suffered a security breach that occurred last Wednesday, the company said in a tersely …
They are weaknesses in the current PKI. And yes, the PKI is thoroughly broken. There are too many vendors supported by default in all the browsers, virtually guaranteeing that at least one is vulnerable to some sort of attack.
Perhaps the browser makers should perform a thorough audit of each authority before allowing it in?
Or perhaps it's time for some other clever PKI scheme... not a clue how you'd go about making a better one though. There must be a way!
After the Comodo root CA certs (which blatantly fail to provide a CRL with any revoked cert whatsoever), now another pre-trusted root CA needs to be manually disabled or better set to untrusted in all your SSL keystores (OS, Browsers, Mobile devices.) - at least if you still fancy the delusion that SSL could be used to secure anything at all.
Looks like their security was properly layered.
Not sure why they've stopped taking new orders though? Fixing the attack vector?
I'm going to have to do another year with rip-off Verisign unless they're back up in a few days.
Who else offers class 2 certificates at a sensible price?
If you think anyone's immune to being hacked, you're:
a) naive
b) foolish
c) being lied to
d) all of the above
The attackers managed to create dodgy certs. These have now been invalidated.
All existing certs were protected. Layers of security = good. As we've seen recently, when most companies have a security failure, every system falls like dominoes.
Do you work for Verisign?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
