After yesterday’s news concerning the fake certificate found in Iran that allowed an attacker to impersonate Google.com, Vasco, the parent company of certificate authority DigiNotar, released a statement explaining what happened.
As is usually the case with security incidents, the statement was light on details, but claims the certificate authority was hacked and certificates for a “number of domains” were signed by the hackers using their root certificate.
Certificate authorities are “trusted” entities who validate the certificates that allow people to create encrypted connections to web servers.
They are responsible for confirming the identity of the entity requesting a certificate so that people are unable to impersonate other people’s servers.
DigiNotar discovered they were hacked on July 19th, but the intrusion began at least as early as July 10th, 2011.
They performed an audit and revoked what they thought were all of the fraudulently issued certificates, but somehow missed one that was created to impersonate Google.
Missing the issuance of a certificate for Google raises questions about the quality and depth of the audit they performed. So does the fact that, after the audit, Mikko Hypponen of F-Secure discovered several hacked web pages on DigiNotar’s site dating back to May 2009.
What constitutes a “number of domains?” DigiNotar hasn’t told us, but a quick look at the source code for Chromium (the open source version of Chrome OS and Chrome browser) shows that Google is blocking 247 new certificates.
Were these all issued by DigiNotar? It is difficult to tell.
However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident.
We can only speculate as to which other domains may have been targeted by the hackers, but it’s not a stretch to imagine someone who wished to spy on Google traffic might also target services like Facebook, Microsoft, Yahoo and Skype.
DigiNotar’s ability to keep such a large incident secret for so long demonstrates that our trust in certificate authorities is misplaced.
To rely on certificate revocation to protect internet users is irresponsible, as most browsers and operating systems do a less than adequate job of honoring these lists.
DigiNotar has published an article in Dutch explaining that 99.99% of browser warnings concerning its certificates can be ignored.
This is terrible advice. While it will be difficult for DigiNotar customers to replace their certificates with new ones, this is the only solution.
If DigiNotar published the list of domains their certificate fraudulently signed this would be easier.
The existing certificate system may not be ideal, but certificate warnings should not be ignored.
8 comments on “Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?”
This is unacceptable! We trust the digital certificates to be accurate and safe to use. I am going to think twice about online shopping, of course my credit card company has fraud protection so I am covered, but I don't like this one bit.
performing a conservative analysis (i.e. extract and include all revoked certs during july and august, not only after july 19) of the CRL's
rom$ openssl crl -text -inform der -in latestCRL.crl |grep Revocation.*2011.GMT |egrep 'Aug|Jul' | wc -l
gives the result – 86
Thus, this is the certs that are revoked as of today.
This is clearly less than 247. What is it that DigiNotar does not tell us? And why does it not block false certs, when Google does?
On another note: the whole concept of PKI is a bit broken when one have to download new binaries (e.g. new firefox or new chrome) to get these blacklists updated.
Do not understand why is Microsoft silent in regards to this Incident. When a similar Incident happen with Comodo they were very fast come forward with a Security Bulletin (KB2524375) to remediate the situation, but now the just issued and advisory.
Check Microsoft Security Advisory 2607712 (released 8/29):
Microsoft has nuked DigiNotar from its root certificates. So whoever user the company will get a certificate error as DigiNotar is not one of the trusted certificate authorities. Btw what certificate authority does Google uses? Also what is man in the middle attack?
Google use a certificate used by Thawte SGC CA, which is owned by VeriSign, which is owned by Symantec.
Does anyone else feel that we should be told more about this audit? After all, we place full trust in DigiNotar…
Now it seems that DigiNotar is taken over by the Dutch Government.