|This article needs additional citations for verification. (July 2011)|
|Industry||Computer security, Internet security|
|Founded||Belgium (1996 )|
|Headquarters||Cambridge, Massachusetts, United States|
GlobalSign is a company founded in 1996 and a subsidiary of GMO CLOUD K.K. in Japan. It's a WebTrust certified certificate authority that provides publicly trusted X.509 compliant SSL, including the new Extended Validation Certificate, S/MIME and code signing certificates for use on all popular platforms including mobile. Other services include a trusted root certificate authority (CA) chaining program for trusted PKI deployments, which allows the widely distributed and trusted GlobalSign root CA certificates to cryptographically chain subordinate root CAs for use in Microsoft CA and other in-house CAs. Such chaining allows these non-commercial CAs to control their own internal PKI, typically issuing SSL and digital IDs for secure email and two factor authentication. These solutions enable end-users to conduct secure online transactions and data submission, providing tamper-proof distributable code as well as to bind identities to client certificates for email security and remote two factor authentication, such as SSL VPN. GlobalSign has introduced digital certificates for signing Adobe Systems PDF documents and also Microsoft Office documents and VBA Macros.
GlobalSign is member of the CA/Browser Forum, the certificate authority industry standards group.
Alleged security breach
In September 2011, GlobalSign suspended issuing authentication certificates temporarily after an anonymous hacker compromised their servers. The person responsible for the DigiNotar hack, claims that he has also hacked the systems of GlobalSign and GlobalSign took the claim seriously enough to halt the signing/issuing of new certificates while investigating the claims.
On December 13, 2011 GlobalSign released its final report on the incident. The detailed report outlined the timeline of events and concluded the following: There was no evidence of any rogue certificates issued or any customer data exposed. There was no evidence of compromised GlobalSign root certificate keys and associated hardware security modules. There was no evidence of compromised GlobalSign CA infrastructure, issuing authorities and associated HSMs, or registration authority services.
GlobalSign’s incident report refers to a peripheral web server, hosting a public facing web server, that was breached. What would have been exposed were publicly available HTML pages, PDFs, and the SSL certificate and key issued to www.globalsign.com. GlobalSign revoked the SSL certificate and key to their website and issued new ones.
Naked Security summary
Sophos’s Chester Wisniewski summarized the report and GlobalSign’s response to the incident on his blog and concluded “Not only is the report thorough and convincing, but it appears that GlobalSign took every action, exactly as they should have, both during and after the incident.”
SSL configuration checker
In November 2012 GlobalSign launched this free online service which allows website administrators to confirm that they have correctly configured SSL across their websites and receive actionable guidance on how to remediate any faulty or exploitable SSL configurations. Correctly configured SSL improves website performance and strengthens security, allowing organizations to preserve the end-user experience and provide better defense against SSL BEAST, CRIME, and other common and damaging attacks that exploit faulty SSL configurations. Any organization can use the service by visiting sslcheck.globalsign.com. Once there, users simply enter the URL of the website they want to check. After a brief scan, the user receives a letter grade with a simplified explanation of any issues found in the website's SSL configuration and actionable remediation steps. The SSL Configuration Checker integrates the assessment technology of Qualys SSL Labs, which is focused on auditing the SSL ecosystem, raising awareness, and providing tools and documentation to web site owners so they can improve their SSL implementations. The tool is available in Dutch, English, French, German, Japanese, Russian and Spanish. 
Memberships and awards
GlobalSign is a founding member of the CA/B forum,a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications.
GlobalSign is also a founding member of the Certificate Authority Security Council, a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues
GlobalSign has been recognized by the Online Trust Authority (OTA) as Web Compliant since 2001.
Additionally, Chief Product and Marketing Officer Lila Kee is an executive member on the North American Energy Standards Board (NAESB). Kee is a board member on the Wholesale Electrical Quadrant Board of Directors where she takes a lead role in the development of security best practices and standards needed to secure electric-industry wholesale business applications.
Recognized industry firsts
GlobalSign was the first CA to improve revocation (page load) speed for HTTPS pages.
The company was also the first to offer IPv6 compliant revocation services.
- Certificate Authority
- Extended Validation Certificate
- Public key certificate
- Public-key infrastructure
- Transport Layer Security
Sources and references
- "GlobalSign, Doing more than any other CA...". 2013-01-14. Retrieved 2013-08-13.
- "Corporate summary". 2013-04-22. Retrieved 2013-08-13.
- "GlobalSign Certificate Authority Root". GlobalSign.
- "PDF Signing - Apply Digital Signatures with Adobe CDS". GlobalSign.
- "Digital Signatures for Office Documents". GlobalSign.
- BBC News - GlobalSign stops secure certificates after hack claim. Bbc.co.uk (2011-09-07). Retrieved on 2013-07-26.
- Mikko Hypponen (2011-09-06). "DigiNotar Hacker Comes Out".
- Sterling, Toby. "Another Firm Stops Issuing Website Security Certificates In Wake Of Dutch Hack." Canadian Press, 6 Sep. 2011: Newspaper Source Plus. Web. 30 May 2013.
- Steve Waite (2011-12-13). "Security Incident Report".
- Chester Wisniewski (2011-12-15). "Google and EFF propose improvements to HTTPS as GlobalSign releases CA breach report".
- "GlobalSign SSL Configuration Checker Provides Guidance to Reduce Cybercriminals' Ability to Exploit Faulty SSL Configurations". 2012-11-15.
- CloudFlare Partners With GlobalSign To Make Loading Secure Web Pages Up To 6 Times Faster. TechCrunch (2012-11-01). Retrieved on 2013-07-26.
- GlobalSign First CA to Offer Certificate Revocation Status Services over IPv6. Thewhir.com (2013-03-13). Retrieved on 2013-07-26.