Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

KPN Halts SSL Certificate Business to Investigate Possible Breach

A Netherlands company has stopped issuing SSL certificates due to concerns about the possible breach of a Website used to buy certificates.

A Netherlands company has stopped issuing SSL certificates due to concerns about the possible breach of a Website used to buy certificates.

Officials at telecommunications company KPN (formerly Getronics) said in a statement that though existing certificates remain valid, the company has temporarily halted the issuing of new certificates pending an investigation into the possible compromise. In a recent audit it was revealed the server of the Website may have been prepped four years ago by an attacker for use in a distributed denial of service attack (DDos).

Although there is no evidence bogus certificates were produced, the company cannot rule it out, the company said. The investigation into the situation is ongoing.

The situation at KPN is another in a series of incidents in 2011 that have brought the security of certificate authorities (CAs) into the spotlight. With a fraudulent certificate in tow, an attacker can potentially make it appear Web surfers are visiting a legitimate site even if they are actually visiting a malicious one. On Nov. 3, Microsoft and Mozilla announced they were revoking trust in certificates issued by Malaysian CA Digicert after it was discovered its certificates used weak 512-bit keys and were missing certain certificate extensions. Digicert has no relation to DigiCert Inc., based in Utah.

In March, an attacker hit a Comodo affiliate registration authority and stole the username and password for a trusted Comodo partner. As a result of the compromise, the attacker was able to create a new user account that generated nine fraudulent certificates for several popular Websites, including Google, Yahoo and Microsoft’s Hotmail.

Five months later, certificate authority DigiNotar admitted it had been hacked earlier in the year. In the ensuing fallout, browser vendors revoked hundreds of bogus SSL certificates that were issued by DigiNotar. The situation ultimately forced the company to declare bankruptcy in September.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.