The disturbingly complete compromise of DigiNotar, the Dutch certificate authority, has broad ramifications for other CAs, enterprises and consumers who rely on the shaky web of trust that comprises the CA system. Here’s what you should know about the attack and what you can do to protect yourself against intrusions resulting from it.
What Happened
An unknown attacker was able to infiltrate the CA infrastructure at DigiNotar, a Dutch company that not only sells commercial SSL certificates but also works with the country’s government on its PKI implementation. The attackers then issued valid SSL certificates to themselves for a series of prominent domains, including *.google.com, Yahoo, Mozilla Add-Ons and others. The attack came to light earlier this week when users in Iran began noticing some odd re-routing of traffic going to and from Gmail. Speculation began emerging that the Iranian government was conducting a man-in-the-middle attack against its citizens in an effort to eavesdrop on their email and other online activities.
The browser manufacturers, including Mozilla, Microsoft and Google, tooke steps to remove the DigiNotar root certificate from their lists of trusted roots. Mozilla released an update for Firefox that removed the cert, Microsoft pulled it from the store used by Internet Explorer and Google blacklisted the certificate from Chromium.
What it Means
This is bad. And not bad meaning good, but bad meaning bad. The compromise of a trusted root CA, albeit a relatively small one, such as DigiNotar has wide-ranging ramifications. The most important consequence is that the certificates issued by DigiNotar are now untrusted by the major browsers. That means that the previously trusted connections secured by those certificates are no longer treated as trusted. Instead, users going to one of the sites will see an error message warning them about the invalid certificate.
But more broadly, the compromise of DigiNotar, taken together with the similar attack on Comodo earlier this year and others performed against CAs in the past, paints an ugly picture of the not only the security at the CAs but also of the architecture of the CA system itself. It’s not clear right now what can be done to improve things on that front.
What You Can Do
Update your browser to take advantage of the patches that disable the DigiNotar root. Stop reading and do this right now. In Firefox, go to Help, About Firefox, and the click on Check for Updates. You can download the newest version of Chrome from Google. Another option is to install the Convergence add-on for Firefox, which replaces the CA infrastructure with a series of trust notaries that users can update dynamically so that they’re not locked in to the list of trusted roots in their browsers.
Also, the DigiNotar attack should be taken as a clear reminder of the fragility of the CA system and the importance of paying close attention to the error messages thrown by your browser. If something looks a bit off about a site or your browser detects a problem, get off the site as quickly as possible. Attackers have discovered how easy it is to compromise the companies designated as trusted third parties in the CA system, and you should expect that there will be more of these revelations in the coming months.