Certificate issuing stopped at KPN after server break-in discovered
The certificate authority (CA) belonging to KPN Corporate Market, a subsidiary of Dutch telecommunications provider KPN, has announced that it has stopped issuing Secure Socket Layer (SSL) certificates because hackers bypassed the CA's security mechanisms and compromised one of its servers. When performing a thorough review that was prompted by other recent Certificate Authority break-ins, the CA discovered programs which are used for DDOS attacks on other computers. The evidence discovered so far indicates that the break-in at KPN happened four years ago and has remained undetected since then.
KPN said that previously issued certificates are unlikely to have been compromised, but that the possibility can't be ruled out completely. Nevertheless, these certificates will remain valid for the time being. As a precautionary measure, the telecommunications provider has replaced its web servers. KPN will also not issue any further SSL certificates until the break-in has been fully investigated.
In a similar incident, last Thursday Microsoft and Mozilla revoked their trust in all certificates issued by the Malaysian Digicert CA. 22 certificates issued by this CA were found to use weak 512-bit keys and lack certain certificate extensions as well as revocation information.