Kudos to KPN

November 9, 2011 by Jon Callas     No Comments

Blogmaster Note: This was originally posted on November 8, 2011 to the ComputerWork UK Security Spotlight blog.

Disclosure is a sign of healthy regard for security threats

This weekend, the certificate authority (CA) associated with the Dutch telecommunications company KPN stopped issuing SSL certificates because they detected a break-in on one of their public-facing web servers. Jeremy Kirk’s IDG story, “Dutch SSL authority KPN stops issuing certificates after hack” gives a number of details.

KPN has alerted the Dutch government, for whom they issue certificates, and with whom they are analysing the attack. The Dutch government issued a statement (which can be found here, in Dutch), but the news story provides more background.

The summary is that KPN’s security auditors found evidence that it might have been “prepared for a Distributed Denial of Service attack.” I don’t know if that means that it was set up to participate in a DDoS attack, or to be vulnerable to one, but there is as yet no evidence that the back-end servers that issue certificates were attacked.

While on first blush this might sound alarming, it’s also good news. We are facing the global problem of CAs being hacked, sometimes as part of campaigns by oppressive nation states.

Attackers will always have the advantage over defenders. All Internet-facing organisations must have as part of their plans the reality that not only might they be hacked someday, but the likelihood that they will eventually be hacked. Just as it is inevitable that if you drive long enough you will end up in an accident, if you run an Internet server long enough you will be hacked.

The measure of an organisation is not so much that they have a security problem, but how they handle it. In the DigiNotar incident of this past summer, much of the justifiable outrage was over the lack of notification.

It is therefore courageous of KPN to stand down their operations while they investigate further. Announcing that you’ve been hacked is always embarrassing, but it is the right thing to do. Customers and colleagues need to know because an attack on an authority can have far-ranging consequences. While KPN have given few details, it’s perhaps understandable, given that they’re just a bit busy right now.

I wish them luck in their analysis and hope that there was no serious breach. I also thank them for their forthrightness and bravery in letting the world know about the issue.

Filed Under:
Jon Callas


Jon Callas has over 30 years of experience and served as Entrust’s Chief Technology Officer. Prior to joining Entrust, Callas co-founded PGP Corporation which specialized in email and data encryption software. Over the course of more than fifteen years, Callas held leadership functions including CTO and CSO. Most recently, he also served as an operating system security expert with Apple. Additionally, he has held leadership positions with corporations including Wave Systems Corporation, Digital Equipment Corporation and Counterpane Internet Security Inc. He has also authored several Internet Engineering Task Force (IETF) standards including OpenPGP, DKIM, and ZRTP.

Add to the Conversation