DigiNotar Says Its CA Infrastructure Was Compromised

VASCO, the parent company of DigiNotar, says that the fraudulent certificate for Google's domains that the certificate authority issued was just one of many such bogus certificates it handed out in recent months, and blamed the growing scandal on an attack on its CA infrastructure.

In a statement responding to stories detailing the use of the fraudulent--but valid--wildcard certificate DigiNotar issued to an unknown third party for Google domains, VASCO officials said that the company became aware of the attack on its CA infrastructure on July 19, which is nine days after the Google certificate was issued. DigiNotar has stopped issuing certificates for the time being while it tries to figure out what happened.

"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures," the statement says.

"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."

The discovery of the fradulent Google certificate prompted swift responses from the major browser vendors. By late Monday, both Mozilla and Microsoft had removed DigiNotar from the list of trusted root CAs for their browsers, and Google said that it also was disabling DigiNotar as a trusted root in Chrome. Removing a trusted root CA from a browser is a harsh and unusual action, and shows the level of concern that Google, Mozilla and Microsoft officials have with the situation at DigiNotar. The company, which VASCO  acquired in January, is deeply involved in projects with the Dutch government, including one called DigiD that essentially issues electronic IDs or passports to Dutch citizens.

The attack on DigiNotar specifically targeted the company's infrastructure for issuing SSL certificates and EVSSL (Extended Validation SSL) certificates, which are specialized certificates that require a higher level of investigation and validation of the recipient's identity. EVSSL certificates are designed to provide users with a higher level of trust in the identity of the sites that are presenting them, but they don't actually provide any more security than a normal SSL certificate.

As a result of the compromise of its infrastructure, DigiNotar is no longer issuing either form of SSL certificate for now.

"The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations," the Vasco statement says.

As they did at the time of the attack on Comodo in March, privacy advocates and security experts are using the DigiNotar attack to point out what's wrong with the CA infrastructure as a whole. The way that the CA system is designed allows any root CA to issue a certificate for any domain, and it is left up to the issuing CA to verify that the person or company applying for the certificate is who they claim. That process is completely opaque to users, who simply rely on the list of trusted roots built into their browsers to tell them which certificates are valid and which shouldn't be trusted.

But, as the Comodo and DigiNotar attacks show, that process can be compromised, resulting in serious consequences for users around the world.

"The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden," wrote Electronic Frontier Foundation staffers Seth Schoen and Eva Galperin in a blog post.

"Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn't make it any less acceptable to web browsers."

Commenting on this Article is closed.