14 DAY TRIAL // StartCom, one of the certification authorities trusted by browsers to issue SSL certificates has been breached earlier this month by attackers who tried to spoof high-profile websites.
StartCom, which operates its SSL business as StartSSL, temporarily suspended the issuing of new certificates because of a security breach that occurred last week.
"Due to a security breach that occurred at the 15th of June, issuance of digital certificates and related services has been suspended. Our services will remain offline until further notice," the company announced.
StartCom also noted that holders of valid certificates and others who rely on them have not been affected by the incident. "We apologize for the temporary inconvenience and thank you for your understanding," it added.
StartCom CTO and COO Eddy Nigg told The Register that hackers tried to obtain certificates for the same websites Comodo attackers did earlier this year. That means www.google.com, login.yahoo.com, login.skype.com, login.live.com and mail.google.com.
Fortunately, unlike in the Comodo attack, the hackers didn't manage to successfully generate the certificates they wanted. They similarly failed to obtain a sub CA certificate that would have allowed them to issue certs themselves.
Nigg revealed that StartCom's private key is stored in on a computer that is isolated from the Internet and was not in danger.
Recent attacks against certification authorities have raised a lot of questions about the security of the Public Key Infrastructure (PKI). Browser vendors are trying to find solutions that would help protect users even in the case when rogue certificates are obtained.
For example, Google is introducing a feature called certificate pinning in its Chrome browser, which allows users to associate certain certificate elements with a domain. For example, a certificate for mail.google.com would only pass validation if its released by one of several particular CAs. This would significantly reduce the options for possible attackers.