Lucene search

threatpostDennis FisherTHREATPOST:15625614E104DF1FE4901E59756E9BE3
HistoryJun 21, 2011 - 8:12 a.m.

CA StartSSL Compromised, But Says Certificates Not Affected

Dennis Fisher

StartSSLA certification authority called StartSSL was attacked and compromised recently and forced to suspend the issuance of SSL certificates indefinitely. However, unlike earlier attacks on CAs such as Comodo, the attackers were not able to gain access to the material necessary to issue themselves valid certificates for arbitrary domains.

The attack on StartSSL occurred on June 15 and the company posted a short statement on its site saying that it had suffered a security breach, but stressing that the certificates issued to its existing customers were not compromised and visitors to those sites were not affected. What’s not clear is exactly what the attackers were able to access and how that affects the company’s ability to issue certificates in the future.

“Due to a security breach that occurred at the 15th of June, issuance of digital certificates and related services has been suspended. Our services will remain offline until further notice,” the statement on StartSSL’s site reads. “Subscribers and holders of valid certificates are not affected in any form. Visitors to web sites and other parties relying on valid certificates are not affected. We apologize for the temporary inconvenience and thank you for your understanding.”
A separate notice on another part of the company’s site says that its services would be unavailable until June 20, which was Monday. StartSSL is operated by StartCom Ltd., a company based in Los Angeles.

The attack on StartSSL follows earlier attacks on other CAs this year, most notably Comodo, which was compromised in March by attackers who were able to issue themselves valid certificates for several high-value domains, including Google, Yahoo and Skype. That attack caused a major uproar in the security community about the lack of serious security in the worldwide CA infrastructure.

Certificates issued by StartSSL are trusted by default by the major browsers, including Firefox and Internet Explorer. The company stressed that certificates that are already in use are not affected by the compromise.