by Roel Schouwenberg
Editor’s note: This story was reposted from Securelist.com.
Diginotar basically consisted of two seperates branches. One branch was a certificate authority which dealt with regular businesses. The other branch was focused on government and called “PKIoverheid”. The audit conducted on Diginotar’s systems showed the integrity of the PKIoverheid authority couldn’t be guaranteed. It should be presumed the integrity is broken.
At the beginning of last week the Dutch government had vouched for the integrity of the PKIoverheid CA (Certificate Authority). This caused the browser makers to only blacklist the non-goverment CA from Diginotar. Next time around browser makers won’t be quite as trusting.
The attack on Diginotar doesn’t rival Stuxnet in terms of sophistication or coordination. However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on Diginotar will put cyber war on or near the top of the political agenda of Western governments.
Here’s a break down of most of the important takeaways from this incident:
- 500+ rogue certificates — A list of rogue certificates has been released. A run down of the targeted domains can be found on the bottom of this page. 531 rogue certificates is a very far cry from the “couple dozen” which Diginotar originally reported. Some attention has been put toward the rogue certificates generated for the CIA and others. No actionable intelligence would be gathered from snooping on traffic to the CIA web site. So the exact motive here isn’t clear.
- WindowsUpdates — A rogue certificate for WindowsUpdates was also issued. It’s my understanding WU only runs programs which are digitally signed by Microsoft. So, to actually push malware through WU would require a rogue certificate which would also allow the attacker to sign code rather than just run SSL websites. Potentially Microsoft has some other checks in place that would prevent exploitation by a rogue certificate.
- Code signing — The screenshot shown here shows the *.google.com certificate also to be valid for code signing. That means this attack could transcend the browser. The attackers could send targets malware which would appear to be coming from Microsoft or other affected parties. At this point it becomes critical for these certificates to be blocked OS-wide, not just in the browser.
- Two attacks? — Right now it’s not clear the PKIoverheid CA branch was hit during the same attack as the ‘regular’ DigiNotar CA. None of the 500+ fraudulently issued certificates have been signed with the PKIoverheid certificate.
- Consequences of PKIoverheid CA revokation — The damage sustained to the Dutch (government) IT infrastructure is quite significant. A lot of services are no longer available. Effectively, communications have been disrupted. Because of this one could make an argument the attack is an act of cyber war.
- Cyberwar on the agenda — Stuxnet had a huge impact. However, there didn’t seem to be a sense of urgency to put cyber war and cyber security on most of the political agendas. This incident will clearly put cyber security and cyber war on the political agenda.
- Attribution — The Dutch government is launching a formal investigation to find out if the Iranian government was behind the attack. Right now, it’s all speculation. Any kind of hints found in the registered certificates could well be decoys. I remain with my stance that a government operation is the most plausible scenario.
- Mobile devices — While browsers for desktops and laptops are receiving updates to blacklist these CAs it remains very quiet on the mobile front. This is especially worrisome as *.android.com is one of the targeted domains in this attack. Here’s a simple guideline: If a device can do email or web browsing then the CAs need to be revoked on that device.
- Apple — So far it’s not known if Apple is even planning on revoking these CAs. I don’t understand why Apple is keeping radio silence on this and quite frankly it’s unacceptable. Using third party web browsers/email clients is the way to go.
- Other CAs — The main reason why Diginotar has been excommunicated is the fact they didn’t disclose the breach. With some 500 authorities out there globally it’s hard to believe Diginotar is the only compromised CA out there. Diginotar will quite likely go out of business. This should serve as a very strong message for CAs to go public with any breach.