After yesterday’s news concerning the fake certificate found in Iran that allowed an attacker to impersonate Google.com, Vasco, the parent company of certificate authority DigiNotar, released a statement explaining what happened.
As is usually the case with security incidents, the statement was light on details, but claims the certificate authority was hacked and certificates for a “number of domains” were signed by the hackers using their root certificate.
Certificate authorities are “trusted” entities who validate the certificates that allow people to create encrypted connections to web servers.
They are responsible for confirming the identity of the entity requesting a certificate so that people are unable to impersonate other people’s servers.
DigiNotar discovered they were hacked on July 19th, but the intrusion began at least as early as July 10th, 2011.
They performed an audit and revoked what they thought were all of the fraudulently issued certificates, but somehow missed one that was created to impersonate Google.
Missing the issuance of a certificate for Google raises questions about the quality and depth of the audit they performed. So does the fact that, after the audit, Mikko Hypponen of F-Secure discovered several hacked web pages on DigiNotar’s site dating back to May 2009.
What constitutes a “number of domains?” DigiNotar hasn’t told us, but a quick look at the source code for Chromium (the open source version of Chrome OS and Chrome browser) shows that Google is blocking 247 new certificates.
Were these all issued by DigiNotar? It is difficult to tell.
However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident.
We can only speculate as to which other domains may have been targeted by the hackers, but it’s not a stretch to imagine someone who wished to spy on Google traffic might also target services like Facebook, Microsoft, Yahoo and Skype.
DigiNotar’s ability to keep such a large incident secret for so long demonstrates that our trust in certificate authorities is misplaced.
To rely on certificate revocation to protect internet users is irresponsible, as most browsers and operating systems do a less than adequate job of honoring these lists.
DigiNotar has published an article in Dutch explaining that 99.99% of browser warnings concerning its certificates can be ignored.
This is terrible advice. While it will be difficult for DigiNotar customers to replace their certificates with new ones, this is the only solution.
If DigiNotar published the list of domains their certificate fraudulently signed this would be easier.
The existing certificate system may not be ideal, but certificate warnings should not be ignored.