The attack the compromised DigiNotarâ€™s certificate authority infrastructure is much worse than originally thought: There were 531 fraudulent certificates that targeted the web sites of not just Google, but popular destinations such as Twitter, WordPress, Yahoo and Facebook as well as the sites of secret services. Mozilla is taking the lead in criticizing DigiNotar and is accusing the company as being deceptive. DigiNotar is now engaging in damage control and restates what we know already: It was a politically motivated hack that especially threatens the privacy and security of Internet users in Iran.
Last week, a Google Chrome user noticed suspicious certificate activity in his browser, which has lead to the discovery of one of the most extensive Internet security hacks that went unnoticed for more than a month and was covered up by certificate authority (CA) DigiNotar. While we initially knew that there were â€œmultipleâ€ fraudulent certificates and Googleâ€™s changes in Chrome code hinted that there may have been a total of 247 fake certificates, the Dutch government now confirmed that 531 certificates have been affected and enabled the attackers to intercept communications between users and those sites. Organization sites included in the hack are Mozilla, LogMeIn, WordPress, Facebook, Twitter, Skype, CIA, Google, The UK Secret Intelligence Service, Verisign, Israelâ€™s Mossad, and Live.com,
Mozilla developer Gervase Markham, who apparently led the investigation in the data breach on Mozillaâ€™s side, expressed frustration with DigiNotar and the lack of its responsiveness. In fact, even upon the discovery of the breach, DigiNotarâ€™s parent company felt no need to provide a complete data set describing the breach. It simply admitted that its CA infrastructure had been compromised, but remained unclear about the extent and simply told investors that there would be no financial impact on Vascoâ€™s operations. Markham now said that his initial requests for information from DigiNotar were not answered and the companyâ€™s public statements â€œhave been, at best, incomplete and at worst actively misleading.â€
Markhamâ€™s blog post indicates, if we are generous, at least gross negligence on DigiNotarâ€™s side. The way the security breach was handled did not only put the Internet security of countless users at risk, put possibly the lives of particularly Iranians as well. The decision to remove trust for DigiNotar certificates overall in web browsers was a reasonable decision as a result. Markham also said that Mozilla exempted certificates owned by the Dutch government per request by the Dutch government, which apparently claimed that those certificates should be trusted. Security firm Fox IT later found that those certificates may have been compromised as well and trust for them was removed in Firefox as well. Mozilla questioned how the motivation of the Dutch government could have given an assurance that its certificates are secure when they were not.
DigiNotar responded to Mozillaâ€™s sharp criticism with another public statement. The company now says that the attack was designed to obtain confidential information of people in Iran and that the hack was â€œpolitically inspired.â€ DigiNotar claims that it is now doing what it should have done when it discovered the hack in July and take the CA systems offline, and work with browser makers to block the fake certificates. It now also advises end users to take â€œonline security warnings seriously.â€ However, the company still portrays itself as the victim, while some may claim that its decision not to disclose the security breach back in July and not to address security concerns immediately and appropriately have made it a catalyst to support successful data interceptions.
Neither DigiNotarâ€™s security response nor its PR have worked very well and may spark a new discussion how much people can trust a CA. To us, however, it seems as if DigiNotar has lost all its trust as a CA.
You can leave a response, or trackback from your own site.