Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Update on the hacker as GlobalSign is mentioned

44 views
Skip to first unread message

Steve Roylance

unread,
Sep 6, 2011, 6:09:11 AM9/6/11
to mozilla-dev-s...@lists.mozilla.org, Gervase Markham, Kathleen Wilson
Dear all,

This is simply to acknowledge to the Mozilla team and the wider security
policy mailing list that GlobalSign has been specifically mentioned by the
hacker in his latest pastebin message. We are currently investigating all
our systems in detail and looking at ways to avoid being his next victim.

It seems that other CAs may also have issues according to the posting
http://pastebin.com/1AxH30em

Kind Regards

Steve Roylance
Business Development Director
GlobalSign


Peter Gutmann

unread,
Sep 6, 2011, 6:41:42 AM9/6/11
to mozilla-dev-s...@lists.mozilla.org, steve.r...@globalsign.com, ge...@mozilla.org, kwi...@mozilla.com
Steve Roylance <steve.r...@globalsign.com> writes:

>This is simply to acknowledge to the Mozilla team and the wider security
>policy mailing list that GlobalSign has been specifically mentioned by the
>hacker in his latest pastebin message. We are currently investigating all our
>systems in detail and looking at ways to avoid being his next victim.

Interesting to note too that we now know, thanks to the hacker that
(apparently) 0wned them, what went wrong at StartSSL.

Peter.

Eddy Nigg

unread,
Sep 6, 2011, 8:19:02 AM9/6/11
to mozilla-dev-s...@lists.mozilla.org
On 09/06/2011 01:41 PM, From Peter Gutmann:

> Interesting to note too that we now know, thanks to the hacker that
> (apparently) 0wned them, what went wrong at StartSSL. Peter.

Errr...what's the new information exactly that wasn't known before?

I know, I know...it's such a shame that he didn't got us, right Peter?
It would have made your day, but ouuups, Eddy was on top of it. Have Fun!

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Peter Gutmann

unread,
Sep 6, 2011, 8:30:56 AM9/6/11
to eddy...@startcom.org, mozilla-dev-s...@lists.mozilla.org
Eddy Nigg <eddy...@startcom.org> writes:
>On 09/06/2011 01:41 PM, From Peter Gutmann:
>> Interesting to note too that we now know, thanks to the hacker that
>> (apparently) 0wned them, what went wrong at StartSSL. Peter.
>
>Errr...what's the new information exactly that wasn't known before?

Before, we knew pretty much nothing ("something happened but we won't tell you
what it was, move along, nothing to see"). Now we at least know a bit about
what did happen.

>I know, I know...it's such a shame that he didn't got us, right Peter? It
>would have made your day, but ouuups, Eddy was on top of it. Have Fun!

Actually I'm really not at all fussed about that. In any case once you own
one CA, the whole browser-PKI house of cards collapses, so it doesn't really
matter who gets owned. The real significance in this case is that the
attacker has demonstrated repeatability, so it's not longer possible to shrug
it off with "it was a one-off event".

Peter.

Eddy Nigg

unread,
Sep 6, 2011, 8:35:15 AM9/6/11
to mozilla-dev-s...@lists.mozilla.org
On 09/06/2011 03:30 PM, From Peter Gutmann:

> Before, we knew pretty much nothing ("something happened but we won't
> tell you what it was, move along, nothing to see"). Now we at least
> know a bit about what did happen.

It was widely published by us that we suffered a security breach and
that no relying party was affected in any form. And this exactly what
you know now as well, there is nothing new.

http://www.theregister.co.uk/2011/06/21/startssl_security_breach/

Eddy Nigg

unread,
Sep 6, 2011, 11:41:19 AM9/6/11
to mozilla-dev-s...@lists.mozilla.org
On 09/06/2011 03:35 PM, From Eddy Nigg:

> On 09/06/2011 03:30 PM, From Peter Gutmann:
>> Before, we knew pretty much nothing ("something happened but we won't
>> tell you what it was, move along, nothing to see"). Now we at least
>> know a bit about what did happen.
>
> It was widely published by us that we suffered a security breach and
> that no relying party was affected in any form. And this exactly what
> you know now as well, there is nothing new.
>

Here something for you:

Security should always be designed on the assumption that a breach will
occur:
http://countermeasures.trendmicro.eu/diginotar-iran-certificates-and-you/

Erwann Abalea

unread,
Sep 6, 2011, 4:13:01 PM9/6/11
to mozilla-dev-s...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
Le mardi 6 septembre 2011 14:19:02 UTC+2, Eddy Nigg a écrit :
> On 09/06/2011 01:41 PM, From Peter Gutmann:
> > Interesting to note too that we now know, thanks to the hacker that
> > (apparently) 0wned them, what went wrong at StartSSL. Peter.
>
> Errr...what's the new information exactly that wasn't known before?
>
> I know, I know...it's such a shame that he didn't got us, right Peter?
> It would have made your day, but ouuups, Eddy was on top of it. Have Fun!

Eddy, do you always sleep next to your HSMs? :)

http://pastebin.com/85WV10EL

Erwann Abalea

unread,
Sep 6, 2011, 4:13:01 PM9/6/11
to mozilla.dev.s...@googlegroups.com, mozilla-dev-s...@lists.mozilla.org
Le mardi 6 septembre 2011 14:19:02 UTC+2, Eddy Nigg a écrit :
> On 09/06/2011 01:41 PM, From Peter Gutmann:
> > Interesting to note too that we now know, thanks to the hacker that
> > (apparently) 0wned them, what went wrong at StartSSL. Peter.
>
> Errr...what's the new information exactly that wasn't known before?
>
> I know, I know...it's such a shame that he didn't got us, right Peter?
> It would have made your day, but ouuups, Eddy was on top of it. Have Fun!

Eddy, do you always sleep next to your HSMs? :)

http://pastebin.com/85WV10EL

Eddy Nigg

unread,
Sep 6, 2011, 4:34:28 PM9/6/11
to mozilla-dev-s...@lists.mozilla.org
On 09/06/2011 11:13 PM, From Erwann Abalea:

> I know, I know...it's such a shame that he didn't got us, right Peter?
> It would have made your day, but ouuups, Eddy was on top of it. Have Fun!
> Eddy, do you always sleep next to your HSMs? :)

LOL - I said on top, not next to it ;-)

But no - I wasn't even in the office at that time, but took charge after
detection of the attempts were reported to me. Neither was this really
an HSM, but a unit we call HSM internally. But who cares really...

master

unread,
Sep 6, 2011, 5:36:59 PM9/6/11
to mozilla-dev-s...@lists.mozilla.org
So what exactly would happen if you removed the Root CA from all
authority issued certs? Would that be almost the same as distrusting
authority?

Would SSL suddenly no longer work?

Why do people rely on SSL to keep their connection secure from the
prying eyes of attackers but its ok to leave that connection open to the
prying eyes of the likes of google, facebook and any other CA authority.

Someone earlier on another news group was over heard saying "Whats wrong
with using paper and envelopes with a stamp these days?"

I'm inclined to agree at least then you can see when they've tried to
steam the envelope open!

Scott

Franck Leroy

unread,
Sep 7, 2011, 4:13:49 PM9/7/11
to mozilla-dev-s...@lists.mozilla.org

http://pastebin.com/GkKUhu35

extract:

Third: You only heards Comodo (successfully issued 9 certs for me -
thanks by the way-), DigiNotar (successfully generated 500+ code
signing and SSL certs for me -thanks again-), StartCOM (got connection
to HSM, was generating for twitter, google, etc. CEO was lucky enough,
but I have ALL emails, database backups, customer data which I'll
publish all via cryptome in near future), GlobalSign (I have access to
their entire server, got DB backups, their linux / tar gzipped and
downloaded, I even have private key of their OWN globalsign.com
domain, hahahaa).... BUT YOU HAVE TO HEAR SO MUCH MORE! SO MUCH MORE!
At least 3 more, AT LEAST! Wait and see, just wait a little bit like I
said in Comodo case.

This is very disturbing...

Franck.
0 new messages