StartSSL suspends services after security breach

StartSSL has suspended issuance of digital certificates and related services following a security breach on 15 June. A trademark of Eddy Nigg's StartCom, the StartSSL certificate authority is well known for offering free domain validated SSL certificates, but also sells organisation and extended validation certificates.

More than 25 thousand websites in Netcraft's SSL survey use certificates issued by StartSSL. These are recognised by Internet Explorer, Firefox, Chrome and other mainstream browsers.

StartSSL is not alone in offering free certificates. AffirmTrust recently trumped StartSSL's one-year certificates with its own offer of free three-year domain validated SSL certificiates. Coincidentally, AffirmTrust announced its launch on the same day as the StartSSL security breach.

StartSSL is also not the only certificate authority to come under attack this year. In March, Comodo came under attack through three of its resellers. By compromising a GlobalTrust website, the so-called ComodoHacker managed to fraudulently issue several valid certificates, including ones for the login pages of Yahoo and Skype. These certificates were subsequently revoked and browser software was updated to explicitly blacklist them.

SOCA back online after DDoS attack

The UK Serious Organised Crime Agency (SOCA) is back online after a distributed denial of service (DDoS) attack by LulzSec forced the agency to take their website offline yesterday.

A SOCA spokesman told BBC News that the agency had chosen to take its website offline to limit the impact on other clients hosted by their service provider, Connect Internet Solutions.

The agency – which is responsible for pro-active operations against serious and organised crime – was targeted as part of Operation Anti-Security (#AntiSec), which was announced on Sunday. The top priority of the operation is to "steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments."

With reference to its DDoS capabilities, LulzSec also added: "If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood."

FOX employee data leaked “for the lulz”

Following last week's release of the X Factor 2011 contestant database on BitTorrent, The Lulz Boat (LulzSec on Twitter) has today released the passwords and email addresses of dozens of FOX employees.

Other files uploaded by LulzSec today suggest that the data may have been obtained through a hidden PHP script planted on, which allowed unauthorised access to a live production database. The attackers also listed the locations and partial content of several PHP configuration files on the server.

Earlier this week, two FOX Twitter accounts were also compromised. Both FOX UP and Fox 15 were hacked, presumably by LulzSec:

LulzSec also claimed to have hacked into 14 LinkedIn accounts belonging to FOX staff. The addresses of the affected accounts were posted on on Monday, but the profiles have since been taken down.

LulzSec deny being vigilantes, cyberterrorists, or having any political motives. They say "we do it for the lulz" – an expression made popular by a FOX11 news report from 2007, which is often mocked for its inaccurate portrayal of the group Anonymous. Sven Slootweg, owner of, described the FOX11 report as "complete nonsense" and told Netcraft that it had "spawned a ton of memes".

Sony PlayStation Store back online

Parts of the Sony PlayStation Network are coming back online after more than two weeks of continuous downtime.

The PlayStation Store website went online around 02:00 UTC today, although online gaming services through the PlayStation Network are still undergoing maintenance.

Sony yesterday began the final stages of testing the new PlayStation Network and Qriocity services, making sure they are secure before the services are relaunched.

Six days after the PlayStation Network was taken offline, Sony revealed that 77 million users' names, addresses, email addresses, birth dates, logins and passwords had been compromised by hackers. Although the passwords were transformed with a cryptographic hashing function, weak passwords may nonetheless be vulnerable to offline brute-force attacks. Accordingly, Sony recommended that users change their passwords if they use the same credentials for other, unrelated services.

Although credit card details were stored in an encrypted format, these could also be at risk if the decryption key was stored on, or made available to, any of the compromised servers. However, as of Wednesday, the major credit card companies have not reported any fraudulent transactions resulting directly from the Sony security breach.

Possible security breach at LastPass forces master password changes

LastPass is forcing its users to change their master passwords following a possible security breach. The free, multiplatform password manager software allows individuals to store passwords for many different websites, all of which can then be accessed using a single master password.

LastPass users only need to remember their master password to log into any website.

Users were notified of the issue after LastPass identified anomalous outbound network traffic. Although this traffic could not be accounted for, the amount of data transferred was big enough to include people's email addresses, the server salt and salted password hashes. This would provide enough information for a hacker to carry out an offline brute-force attack against the hashes, possibly allowing plaintext passwords to be recovered from many users.

LastPass remains unsure of what has actually happened, but prudently assumed the worst, noting that, "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

Extended Validation SSL certificates: 4 years of growth

After more than 4 years of continued growth, Extended Validation SSL certificates still only account for 2.3% of all valid third party certificates found in the Netcraft SSL Survey. The majority of sites use the cheapest type of certificate – domain validated – although these are less common amongst high-traffic websites.

Netcraft's April 2011 survey found a total of 38,966 valid EV certificates:

Extended Validation SSL certificates typically cost more than both domain and organisation validated certificates. The vetting process for EV certificates cannot always be automated to the same degree as for domain validated certificates – for example, the current guidelines may in some circumstances require the certificate authority to arrange a site visit in order to verify an applicant's business address. Such checks ultimately ensure that EV certificates are only issued to legally established businesses or organisations.

Because simpler domain validation checks can be performed automatically, CAs can enjoy a very fast and low cost issuance process for domain validated certificates. Eddy Nigg's StartSSL is perhaps a prime example of this – they offer free domain validated certificates for one year, in addition to their range of other paid-for certificates.

EV certificates are much more prevalent amongst high-traffic or financial websites, where it is often beneficial to demonstrate higher levels of assurance to visitors. For example, losses to phishing fraud can be reduced by educating online banking customers to look for the green indicator in the browser's address bar. Because this can only be activated by an EV certificate, a fraudster would be unable to replicate this behaviour on an HTTP website or by using a more easily obtainable type of certificate.

Of course, EV certificates cannot entirely prevent phishing attacks. If an attacker were to compromise a website which already uses a valid EV certificate, he can piggyback on the trust instilled by that site's certificate to present his fraudulent content. Such a problem was first demonstrated on SourceForge, and then on a few years ago, when cross-site scripting (XSS) vulnerabilities allowed arbitrary content to be injected into webpages. PayPal was one of the first companies to use EV certificates, which they believe resulted in noticeably lower abandonment rates on signup flows.

Restricting our analysis to the busiest 1,000 websites in the world, 81 sites accepted HTTPS connections and presented a valid SSL certificate. Nearly a third of these certificates used Extended Validation – a far higher proportion than the 2.3% share of all certificates.

While domain validated certificates have the largest share of the entire market, this share starts to decline when the least visited sites are removed from the analysis. Organisation validated certificates take the largest share within the top million sites, and are still almost twice as popular as EV certificates in the top 1,000.

The future looks quite promising for both Extended Validation and domain validated certificates. Both types have shown continued growth in recent years, while the growth of organisation validated certificates has been relatively subdued. Organisation validated certificates do not offer the same level of assurance as an EV certificate, and typically cost more than a domain validated certificate, so it will be interesting to see whether these "middle of the road" certificates continue to grow – particularly in a market where many consumers may only be interested in either having the highest assurance or paying the lowest price.