What can you trust if you can’t trust your Secure Sockets Layer (SSL) certificates vendor?
It appears that certificates “issued” by Dutch company DigiNotar extend way beyond the fake Google certificate that was reported recently. It now appears that its certificates in the names of the CIA, MI6, Google, Facebook, Twitter, Microsoft, Skype, Mozilla, Yahoo, Tor, WordPress, Mossad, AOL and LogMeIn are no longer trustworthy and DigiNotar has been removed from many of the browser brands’ lists of trusted authorities.
What is even more worrying is that root certificates were issued with *.*.com and *.*.org designations. There seems to be some confusion whether these “double wildcard” certificates are valid but if they are then no DigiNotar-protected .com or .org sites could be trusted.
SSL certificates are the only proof that you are talking to a bona fide entity on the Internet. If you make a connection with a Web site and HTTPS appears in the URL, you’re definitely securely connected to the real banking, shopping, or registration site and all is well. The browser often shows a tiny closed padlock so you’re doubly sure that nobody else can eavesdrop on the information.
That’s been the theory but the practice is becoming less and less trustworthy. The number of certificates stolen is said to number 531. This may include intermediate signing certificates. This means that authority can be assigned to intermediaries to sign and validate certificates on DigiNotar’s behalf. Attackers reportedly signed 186 certificates that could have been intermediates passed off as well-known certificate authorities like Thawte, Verisign, Comodo and Equifax.
DigiNotar is the latest SSL Certification Authority (CA) to find itself a target of hackers and the loser of precious certificates. The hack came to light when an Iranian user of Google Gmail posted about a certificate warning that had popped up in Google’s Chrome Web browser. This mentioned a “revoked certificate” for SSL-based Google services.
This led to the revelation that the breach had allowed a *.google.com certificate to be issued. The wildcard asterisk could be replaced with any google.com subsite and these fake certificates have been around for at least a month.
The fake certificate was issued on 10 July. DigiNotar claims to have discovered this on 19 July. The Iranian Gmail post appeared on 28 August and Vasco Data Security International, owners of DigiNotar, issued a press release on 30 August.
That this attack should succeed in the Netherlands is surprising because the Dutch government exercises some of the most stringent controls over its CAs.
DigiNotar would have been obliged to undergo regular third party audits and, as a provider of certificates services under the PKIOverheid, PKI certificates used for official government business, even stricter rules apply. Some of the European Telecommunications Standards Institute (ETSI) recommendations are applied as mandatory for PKIOverheid clearance.
As an accredited provider in the EU, DigiNotar provides certificates and approved secure signature creation devices (SSCDs) to produce digital signatures that are automatically accepted as legally-recognised digital signatures – the digital equivalent of a manual signature.
How far and how deep this scandal will affect the company is only beginning to show. Despite the company release signing off with a cheery comment about Vasco not believing that “the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans”, it may still mean the end of DigiNotar.
Such a widespread block by the browser makers will make sites switch to other CAs for certification but Vasco reckons this accounted for less than €100,000 of its income during the first six months of this year.
Calum MacLeod, director of Venafi, an enterprise key and certificate management (EKCM) company, pointed out that government help-lines in The Netherlands have been advising people to avoid using online services until further notice.
This shows how far trust has been eroded and, if the company loses its PKIOverheid status, it will not only bring DigiNotar down but could also seriously damage Vasco itself. At the very least, it could nullify the company’s $12.9 million spend on purchasing the subsidiary last January. At worst, it could tarnish its DigiPass PKI offering and bring down the whole company.
Vasco is fighting to prove it’s telling the truth about this side of the business being unaffected but the question is how long will that take?
If it takes too long, the Dutch government will be forced to look elsewhere to unfreeze its online services.
With another CA, Comodo, having been compromised recently, it shows that these trust vendors are not invulnerable. Perhaps it’s time for governments and local authorities generally to assess their online plans and prepare a plan should they be hit by a similar disaster.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Security is achieved by not trusting third parties and by the implementation of complicated procedures and control mechanisms. A lot of people and companies talk about and sell security, because they think they can earn a quick buck by flooding people with complicated terminology and nice promises, but in reality they don't have the tiniest clue on how to achieve it.