It wasn’t entirely obvious to me, when we made the decision some six years ago to implement a certification authority that does things differently, that we’d end up against a country sponsored cyber-war. And even though I incidentally called this very blog “Join the Revolution“, I didn’t had in mind to have anything to do with securing a real revolution of any country or protecting dissidents from any regime. Not that kind of revolution anyway.
In fact, StartCom never issued certificates for particular high-profile sites such a Google, FaceBook and Twitter which seem to be the most popular targets these days, so what do we have to do with it? Actually not much, but here is the catch: It’s fairly easy to issue digital certificates for those high-profile sites, the art is not to issue them. But that’s exactly what some want the certificate authorities to do - against their own will obviously.
In June this year, StartCom’s infrastructure was attacked and a server compromised with the goal to fraudulently obtain certificates for Google, Twitter and Yahoo. And probably some more, but that’s as far as it got. The incident was widely published after we disabled our services and notified the public about a security breach.
Attacks on certificate authorities have become disastrous recently, and even though we foiled the attack and ultimate goal on StartCom, I’m lined up today in a war that hasn’t much to do with me nor with my intentions. But suddenly the land-scape of the Internet, its social web sites and Internet security received a completely different dimension - one of espionage and countries like Iran sponsoring attacks on the foundations of our online security and war on our freedom for privacy as yet another certificate authority goes offline. This isn’t anymore about securing convenient online-shopping, protecting passwords and best practices for web site owners and their visitors which are living in normal, sane and modern democracies.
When my competitor Melih from Comodo announced that an attack on their company was state-funded by Iran, it appeared to be far-fetched. Today we have the necessary evidence that this is indeed the case - with software vendors, certificate authorities, internet service providers and probably even entire governments confronted. A new era has begun, determined to circumvent military-grade encryption by compromising the issuers of the digital certificates - it’s a declared cyber-war - sponsored, paid for and eventually turned against its own people.