A co-founder of The Tor Project says his organization is being kept in the dark about the status of a dozen fraudulent SSL certificates issued in its name by a compromised root server operated by Diginotar. The bogus certificates could be used to carry out man in the middle attacks, or trick unsuspecting Internet users into downloading a compromised version of the Tor anonymity software.
The post, by Tor Project co-founder Jacob Appelbaum, is just the latest to raise troubling questions about Dutch certificate authority Diginotar’s handling of the security breach that resulted in the creation of hundreds of fraudulent digital certificates for leading online services, including Google and Mozilla, makers of the Firefox browser.
Most of the coverage of the breach to date has focused on man in the middle attacks linked to a forged Google.com certificates. However, Diginotar and its parent company, Vasco, have admitted that the breach involved dozens of firms, not just Google. However, the exact number of fraudulent certificates issued is unknown. Diginotar hasn’t released a comprehensive list of certificates. A report by the Dutch Web site nu.nl on Wednesday named the Tor Project as one of a host of leading services, along with Yahoo.com, WordPress.com and Mozilla, as targets of the hackers.
However, each day brings new and troubling revelations. Among them, a report Thursday from anti malware firm F-Secure, which has found evidence of compromises on Diginotar’s Web site that date to May 2009, and evidence of man in the middle attacks targeting Google users that date from May, 2010.
In his post, Appelbaum said that The Tor Project doesn’t rely on SSL certificates to guarantee the security of its network. However, forged certificates could be used in targeted attacks to trick users into accessing compromised systems that appear to be legitimate Tor infrastructure. According to Appelbaum, The Tor Project struggled to get confirmation from Diginotar that it was a target in the attack.
After reaching out to the company, Tor – which has its own, secure Web browser – learned that a dozen certificates issued for the torproject.org Web domain. One batch of six certificates was issued on July 18 and the second on July 20th of 2011. Both sets of certificates have since expired, but Tor said it doesn’t have any evidence that Diginotar took the extra step of revoking those certificates, nor has the company provided The Tor Project with a copy of any of the certificates that it issued for torproject.org.
“We are not sure that they have copies nor if they are willing to disclose any compies they may or may not have. This point is extermely disconcerting as the CRL/OCSP (Certificate Revocation List/Online Certificate Status Protocol) revocation process is essentially worthless,” he wrote.
Appelbaum also echoes criticism from other quarters that Diginotar might not actually know the extent of the breach, nor how many fraudulent certificates were issued.
In the absence of guidance from Diginotar and Vasco, browser makers including Google, Microsoft and Mozilla have taken matters into their own hands. Google is believed to have blacklisted hundreds of certificates believed to have been issued by Diginotar certificate authorities. As Threatpost reported, that may be causing problems for companies and governments that rely on Diginotar’s certificate authorities, as well.
Appelbaum said the Diginotar hack makes a similar attack on Comodo, another certificate authority, look “minor” by comparison. Tor users are advised to update their browser and verify the digital signature of any Tor bundles installed with Firefox and other browsers. Tor users who have downloaded copies of any Tor software in the past few months are asked to help the company determine if there was any attempt to alter them and report it to Tor.