KPN has stopped issuing SSL security certificates while it investigates a four-year-old intrusion into its web server
KPN has become the latest company to halt its SSL certificate operations following the discovery of a security breach – in this case, an intrusion that took place four years ago and remained undetected.
On Friday, KPN said it would temporarily stop issuing certificates while it carries out an investigation, the results of which are expected early this week.
False SSL certificates could be used to trick a user into revealing sensitive data via a website that appears to be secure.
“During an investigation into the SSL web server, evidence was detected that could indicate an incident four years ago,” KPN said in a statement.
The intruders appeared to have intended to make use of the server to launch distributed denial of service (DDoS) attacks against other organisations, KPN said.
“Although there is no evidence that certificate production was compromised, it cannot be completely excluded that this may have happened,” KPN stated.
The company said it has replaced the affected web servers and has brought in independent investigators who are looking into the matter, with the oversight of the Dutch government.
The incident follows security breaches at several SSL certificate authorities (CA) this year, including DigiNotar, another Dutch firm, which resulted in the issuance of at least 500 false certificates for websites such as Gmail, Skype, Adobe, the CIA, MI6, Facebook, Twitter, Tor, WordPress, Mossad, AOL and LogMeIn.
Many web browser makers removed DigiNotar from their lists of trusted authorities and the company itself filed for bankruptcy in September as a result of the attack.
Ironically, KPN said at the time that it had seen a boost in its own certificates business as a result of the DigiNotar attack.