Why GlobalSign Was Right to Suspend New Certificates

Here's what GlobalSign's move means, and how to evaluate a certificate authority for your business website.

When you work in computer security, reputation is everything. Certificate authentication authority (CA) GlobalSign on Monday suspended issuance of any new certificates pending the result of an investigation into a claim by a hacker that its security had been compromised. Their swift response maintains their reputation as a leading CA and positions them as an optimal choice for anyone looking for a CA for their business.

What Do Certificate Authorities Do?

A certificate authority issues a number of certificates that certify a secure environment for websites, code, documents, objects, email, or any other form of electronic communication or programming. The most common product that a small business would be familiar with is an SSL certificate, which GlobalSign defines as "SSL/TLS encryption and identity assurance for websites".

SSL stands for "Secure Sockets Layer" and TSL stands for "Transport Layer Security." Both are communications protocols for secure transmission of information over the Internet, and are most commonly used for transmission of order, payment, and identity information. A compromise of the underlying certificate authority could mean that all of this information is also compromised. This is why GlobalSign is taking the situation very seriously and not issuing new certificates until the situation is thoroughly investigated.

A seal or sign that a website is protected by such a certificate usually goes hand-in-hand with the purchase of a certificate product. In their promotional video below, GlobalSign talks about their Website Passport and reasons why businesses should have this kind of protection on their websites.

Should I Consider a Certificate for My Website?

If you engage in any form of payment on your website, you should absolutely consider this for your business. Most certificate authorities, including GlobalSign, cite higher conversion rates as a direct result of installing a security certificate and corresponding trust seal on their website.

According to this independent paper from Milena Head and Khaled Hassanein at the DeGroote School of Business, consumers "have significant experience in the traditional market, but may not be as familiar with or comfortable in the online marketplace. Individual consumers will differ in their 'trusting' personality traits and the pace at which they attain the trust required to start transacting with an online vendor."

What Exactly Happened to Make GlobalSign Suspend New Certificates?

A hacker who goes by the handle "Comodohacker" has claimed that he has access to GlobalSign's systems as well as those of three similar companies. He broke into another certificate authority, DigiNotar, on Monday. Due to other hacks against Diginotar in the past, most browsers no longer accept DigiNotar certificates. According to an update given to us by Steve Waite, their chief marketing officer, GlobalSign has appointed Fox-IT for help with the investigation, due to their previous involvement in investigating the DigiNotar hack.

Should I Be Concerned if GlobalSign Is My CA Provider?

If anything, I would be reassured if GlobalSign were my CA. They have publicly stated that they are taking the situation seriously. The reality is that certificate authorities are in the business of Internet security, and as a result are constantly defending against hackers. In addition, Comodohacker has claimed that they have access to GlobalSign's systems, and this claim has yet to be properly verified by the company.

What Factors Should Be Considered When Choosing a CA Provider?

There are many certificate authorities out there, and choosing one over another can be difficult. There are several factors to consider when making the choice. The extent of the identity verification when the certificate is initially issued is a very important factor. Certificate authorities should not just trust the information given to them by companies, but consult third-party records such as Dun & Bradstreet for independent verification.

Cost is another factor. A bargain-basement certificate authority simply does not have the funds for the resources needed to guard against security threats. In the case of a cheap Internet security certificate, you really do get what you pay for. Most certificate authorities will offer appropriately priced solutions for smaller businesses. If the price is too low when compared to similar companies, alarm bells should go off and you should investigate further before purchasing the cheap solution.

You should also consider who will be performing installation and installation costs. If you are not technically inclined, chances are good that the CA will offer an installation service. These should be factored into any quotes.

Test Before You Buy

Certificate authorities will gladly give you examples of companies and websites that are using their services. Test a few of them using Chrome, Firefox, and Internet Explorer to make sure that each browser accepts their certificate. Go with the company with the least amount of issues with their certificates.

GlobalSign made the right choice to suspend new certificates based on Comodohacker's threat. It put their company in front of the problem and positioned them as a company that could be trusted to manage security threats properly. I would be much more concerned if a certificate authority did not show the same level of concern or any concern at all. The Comodohacker and other such threats do not diminish the role of security certificates. If anything, they illustrate the dire need for such a service, especially in today's hacker-ridden climate.

Angela West dreams of opening a Fallout-themed pub featuring wait staff with Pip-Boys. She's written for big insurance companies, small wildlife control businesses, gourmet food chains, and more. Follow her on Twitter at @angelawest.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritysoftwareencryptionGlobalSigninternetdata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Angela West

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place