Fellow handler Lenny wrote about GlobalSign being named by a hacker claiming the DigiNotar and Comodo breaches and GlobalSign's response to it by stopping the processes of issuing certificates.
Today GlobalSign should be back in operation and they have kept a public track of their incident response. I suggest to read it bottom up as that way you get the timeline.
I see a number of very good ideas and actions in there. First off they stopped issuing certificates right after the claim, that's the containment you see in action: make sure it does not get worse. In fact if you look back at what's known so far of the DigiNotar case, had DigiNotar done that on June 19th when they detected the breach the first time, and then would have done a complete technical audit of their systems, DigiNotar would today not have had their entire reputation thrown away. Next GlobalSign contracted Fox-IT, the same company that has been/is analyzing the systems of DigiNotar. The value of having somebody who's been dealing with similar incidents can more often than not proof to be invaluable.
I also see one worrying issue, and that's that their web server (the one serving www.globalsign.com) has signs it has been breached. GlobalSign claims it has always been isolated though.
Over the past few weeks we've had a number of request of GlobalSign customers that were wondering if they should migrate to other providers.
Let's analyze with what we know now:
So what's smart to do ?
Swa Frantzen --
Sep 13th 2011
7 years ago