Wow, it really has been a bad week for Certificate Authorities. First DigiNotar gets cracked by a seemingly insistent CA cracker called ComodoHacker; now GlobalSign has stopped processing certificate requests due to possible compromise by the same cracker.
It all started in March this year with the Comodo CA breach. Next was StartCom the Israeli CA ( although they say that nothing was compromised ). Then an attack on DigiNotar appears to have been initiated on June 17. Apparently 531 rogue certificates were issued ( and then revoked ) in the period July 19 to 29. That amount may not even be the final value. According to an audit by Fox-IT, the attack was mostly successful due to glaring security weaknesses in DigiNotar’s networks, apps and architecture.
Last week, Microsoft removed DigiNotar’s root CA certs from it’s browsers, and this week, they have moved these certs as well as some other Dutch government certs to the untrusted certificate store.
The Firefox 6.0.2 update this week effectively does the same thing. Cumulatively, these steps will have a massive impact on the Dutch government’s websites and their ability to function.
The same cracker has boasted that he/she has compromised 4 other CAs as well, one of these being GlobalSign. As a result, GlobalSign has suspended issuing further certs pending an investigation into the claim.
For those who can not ( for some strange reason ) run updated web browsers ( with the compromised CA removed ), you can manually affect the same result by removing the CA cert in your browser:
Firefox
Edit/Tools -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities
Find the DigiNotar root CA in the list and delete/distrust
Internet Explorer/Windows
Start -> Control Panel -> Internet Options ( in classic view ) -> Content -> Certificates -> Trusted Root Certificate Authorities
Find the DigiNotar root CA in the list and remove
Other browsers will have similar options in the preferences section.