Dutch SSL authority KPN stops issuing certificates after hack

Dutch SSL authority KPN stops issuing certificates after hack

Certificate authority says no evidence of fraudulent access

Article comments

The largest telecommunications company in the Netherlands has stopped issuing SSL certificates after finding indications that the website used for purchasing the certificates may have been hacked.

The back-end infrastructure used to generate certificates does not appear to have been affected, although an investigation is under way with results expected soon, KPN spokeswoman Simona Petescu said.

During an audit, the public-facing website showed indications that someone may have tried to prepare it for Distributed Denial-of-Service (DDoS) attacks as long as four years ago, according to a KPN press release. It does not appear that any fraudulent SSL certificates have been created, Petescu said. But as a precaution, it stopped issuing certificates and also notified the Dutch government's interior affairs ministry, she said.

KPN's corporate IT services branch, KPN Corporate Market, issues the SSL certificates, which enable a web browser and website to exchange encrypted information using the SSL protocol.

KPN's Corporate Market is known as an intermediate Certificate Authority, one of hundreds of businesses and organisations around the world that can issue SSL certificates linked backed to a so-called root Certificate Authority. CAs are a particularly attractive target for hackers.

Creating a fraudulent certificate can make it appear a person is visiting a legitimate website when in fact it is not or to intercept information. Security experts have called the current SSL issuing system weak.

Last week, a Malaysian intermediate certificate authority called Digicert revoked 22 of its own certificates due to weak RSA encryption keys and missing certificate extensions. On Thursday, Mozilla and Microsoft revoked all certificates issued by the company.

In August, a Certificate Authority called DigiNotar, which is a subsidiary of Vasco Data Security International, revealed that it had been hacked earlier in the year. Browser makers ended up revoking some 500 fraudulent SSL certificates.

Among the companies affected was Google, which said a fake certificate was used in attempted man-in-the-middle attacks against users of its Gmail service in Iran. The fraudulent certificate would allow a hacker to view information passing between a Gmail user and Google's servers.

DigiNotar filed for bankruptcy in a Dutch court in September.

Share:

Comments

Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *