CA GlobalSign resumes operations
Following a one-week downtime, certificate authority GlobalSign has resumed operations. Its investigations found that the company's web server has been compromised, but that there is no indication that their CA systems have been penetrated. This, of course, does not mean that no penetration has taken place.
Security specialists are currently discussing the credibility of claims by the DigiNotar hacker that he is able to issue certificates for Microsoft's Windows Update. Last week Microsoft was keen to stress that Windows Update is certified by a root certificate from its own internal, non-public CA. Since the hacker has no way of issuing certificates for this, installing crafted updates via Windows Update is, according to Microsoft, impossible.
Security specialist Dan Kaminsky has backed up Microsoft's claim. He notes that Windows Update doesn't just check that the update signature matches a root certificate (WinVerifyTrust); Windows also checks that it matches a Microsoft-issued certificate (CertVerifyCertificateChainPolicy with the CERT_CHAIN_POLICY_MICROSOFT_ROOT flag). Google's Chrome browser contains a similar function which, when logging into Google, checks both the validity of the SSL certificate and whether it is issued by a trusted CA (Thawte, etc.).
It was this function that led to the fake Google certificate and the DigiNotar hack being uncovered. If the attacker had limited himself to issuing certificates for Yahoo, Facebook and Tor, it might well have taken much longer for the problem to come to light.