KPN stops issuing SSL certificates after possible breach

KPN said it does not appear any fraudulent SSL certificates were issued, though

The largest telecommunications company in the Netherlands has stopped issuing SSL (Secure Sockets Layer) certificates after finding indications that the website used for purchasing the certificates may have been hacked.

The backend infrastructure used to generate certificates does not appear to have been affected, although an investigation is under way with results expected soon, KPN spokeswoman Simona Petescu said on Monday.

During an audit, the public-facing website showed indications that someone may have tried to prepare it for Distributed Denial-of-Service (DDOS) attacks as long as four years ago, according to a press release issued on Friday by KPN.

It does not appear that any fraudulent SSL certificates have been created, Petescu said. But as a precaution, it stopped issuing certificates and also notified the Dutch government's interior affairs ministry, she said.

KPN's corporate IT services branch, KPN Corporate Market, issues the SSL certificates, which enable a Web browser and website to exchange encrypted information using the SSL protocol.

KPN's Corporate Market is known as an intermediate Certificate Authority, one of hundreds of businesses and organizations around the world that can issue SSL certificates linked backed to a so-called root Certificate Authority.

CAs are a particularly attractive target for hackers. Creating a fraudulent certificate can make it appear a person is visiting a legitimate website when in fact it is not or to intercept information. Security experts have called the current SSL issuing system weak.

Last week, a Malaysian intermediate certificate authority called Digicert revoked 22 of its own certificates due to weak RSA encryption keys and missing certificate extensions. On Thursday, Mozilla and Microsoft revoked all certificates issued by the company.

In August, a Certificate Authority called DigiNotar, which is a subsidiary of Vasco Data Security International, revealed that it had been hacked earlier in the year. Browser makers ended up revoking some 500 fraudulent SSL certificates.

Among the companies affected was Google, which said a fake certificate was used in attempted man-in-the-middle attacks against users of its Gmail service in Iran. The fraudulent certificate would allow a hacker to view information passing between a Gmail user and Google's servers.

DigiNotar filed for bankruptcy in a Dutch court in September.

Send news tips and comments to jeremy_kirk@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityKPN

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?