StartSSL the story so far.

If you were watching the SSL policy sphere yesterday you will have seen a dust-up between StartSSL's Eddy Nigg and some members of the community hoping for a disclosure from StartSSL about the incident that occurred on June 15th. I contacted Eddy Nigg with some questions that he was nice enough to answer.

The good news is that I now believe there is nothing for the public to be concerned about, but the bad news is full public disclosure is still outstanding.

The story starts from the public perspective like all CA security breaches. A hacker gets into a system he/she shouldn't have access to, does something bad and everyone freaks out because, well, the CA system in general is severely broken. If even one CA certificate is compromised, the implications are huge, and would require the patching of browsers around the world to restore trust to the entire system.

The StartSSL case seems to be as many had suspected, a hacker was able to breach a web server at StartSSL and security procedures caught the attack before CA trust was affected. Eddy reiterated this via twitter saying "There is no question and no possibilty - and we clearly notified that NO relying party was ever affected." when asked if there was even the possibility that a bad certificate had been generated. I was also able to find a previous interview he had done with The Register which also confirms that no cryptographic information was accessed as a result of the attack.

The secrecy around the incident however suggests that there is much more going on behind the scenes. What is under investigation appears to be an incidence of an attack class now known as an 'Advanced Persistent Threat'. This type of attack has recently seen nation states implicated in major hacking scandals, including significant breaches into Google, the security company RSA and the Canadian Government among many others. The public statements from StartSSL however underscore that the attack was intercepted before it could breach the CA's cryptographic signing material and cause any damage to the SSL ecosystem. So why the dust-up and controversy? It seems this ongoing investigation is the answer and it appears to be tying the founders hands in regards to public disclosure of the incident. In that regard Eddy could only say "I'll let your imagination play, however I very much hope that I'll be able to go public when I can."

To the question of whether there were any third parties aware of the full details, Eddy shared that the "The major software vendors received more intimate details." and that StartSSL still has the full trust of those organizations. He also mentioned that other trust auditors have had praise for their handling of the incident and expressed annoyance at the general lack of confidence and trust placed in those responding.

In the end, the twitter dust-up seems to be the result of a founder frustrated by his inability to speak publicly about the incident and the public's frustration about not knowing the details of a potentially serious hack near the CA system. For now, all we know is that StartSSL seems to be handling the issue in a responsible way, and notifying those who need to know without compromising the ongoing investigation into the incident. Hopefully in the future we'll hear the full story, but until then, we'll just have to live with the knowledge that industry authorities have reviewed the incident and that they continue to place their trust in StartSSL.