Another SSL Cert Authority Attacked

Another authentication authority has been attacked by hackers attempting to counterfeit certificates that would allow them to spoof the pages of high-profile web sites.  Israel-based StartCom, which operates StartSSL, has issued an advisory regarding a security breach last Wednesday.

The certificate authority, trusted by Microsoft IE, Google Chrome, and Mozilla Firefox browsers to vouch for the authenticity of sensitive websites, has suspended issuance of digital certificates and related services until further notice.  The hackers failed to obtain any valid certificates and failed to generate an intermediate certificate that would allow them to act as their own Certificate Authority.  The private key for the CA isn’t stored on a computer that’s attached to the internet.

This marks at least the fifth time an entity that issues SSL certificates have been targeted in as many months.  StartSSL claims to be among the top 10 issuers of certificates in the world.  It is unclear when the CA will resume its services.