Root CA fails utterly
September 3, 2011 12:32 AM Subscribe
A few days ago, someone found a fake SSL certificate for Gmail in the wild. It was quickly determined that this face certificate originated at the Dutch company DigiNotar. DigiNotar had been hacked a few weeks before and had revoked a number of SSL certificates that had been fraudulently issued by the hackers. (previously)
All major browsers quickly released updates and revoked the DigiNotar root CA certificate.
Adding to the fun was the fact that DigiNotar also operated the PKIOverheid[NL], the certificate authority for the Dutch government. A subsequent investigation showed that it was possible that the root certificate for PKIOverheid had also been compromised, resulting in the Dutch Interior Minister holding a press conference at 1 AM on Saturday morning.
The Dutch government is now scrambling to replace the SSL certificates on all their hundreds of websites and other pieces of IT infrastructure and while this is ongoing, users of up-to-date browsers should expect SSL certificate warnings when accessing government websites.
All major browsers quickly released updates and revoked the DigiNotar root CA certificate.
Adding to the fun was the fact that DigiNotar also operated the PKIOverheid[NL], the certificate authority for the Dutch government. A subsequent investigation showed that it was possible that the root certificate for PKIOverheid had also been compromised, resulting in the Dutch Interior Minister holding a press conference at 1 AM on Saturday morning.
The Dutch government is now scrambling to replace the SSL certificates on all their hundreds of websites and other pieces of IT infrastructure and while this is ongoing, users of up-to-date browsers should expect SSL certificate warnings when accessing government websites.
This post was deleted for the following reason: Double. -- mathowie
What an utter failure.
I do believe though that not all PKI Overheid certificates went through DigiNotar.
Some PKI Overheid certificates have as CA the Staat der Nederlanden CA and were issued by the IT firm Getronics. Seems like those have not been compromised.
posted by joost de vries at 12:46 AM on September 3, 2011 [1 favorite]
I do believe though that not all PKI Overheid certificates went through DigiNotar.
Some PKI Overheid certificates have as CA the Staat der Nederlanden CA and were issued by the IT firm Getronics. Seems like those have not been compromised.
posted by joost de vries at 12:46 AM on September 3, 2011 [1 favorite]
Yep, those certificates are still to be trusted.
posted by joost de vries at 12:52 AM on September 3, 2011
posted by joost de vries at 12:52 AM on September 3, 2011
It's chaos, much of the country is now below sea level
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 1:21 AM on September 3, 2011 [23 favorites]
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 1:21 AM on September 3, 2011 [23 favorites]
this is another example of the fundamentally broken design of https - *any* authorized Certificate Authority can issue a certificate for *any* website.
posted by russm at 1:44 AM on September 3, 2011
posted by russm at 1:44 AM on September 3, 2011
so there are 174 trusted root CAs in my system (there were 175 until I deleted these jokers). any one of them can issue a certificate for google.com, or microsoft.com, or paypal.com, or whatever. that's 175 companies around the globe that I need to trust to maintain their system security, and god knows how many employees I need to trust to be honest and vigilant at all times. and if any of those companies or employees fail, then I can't trust anything on the web to be who it claims to be.
this situation is broken.
posted by russm at 1:53 AM on September 3, 2011 [5 favorites]
this situation is broken.
posted by russm at 1:53 AM on September 3, 2011 [5 favorites]
Shouldn't that Diginotar ocsp responder say everything is revoked for the time being?
posted by dabitch at 2:00 AM on September 3, 2011
posted by dabitch at 2:00 AM on September 3, 2011
blub
posted by joost de vries at 2:04 AM on September 3, 2011 [3 favorites]
posted by joost de vries at 2:04 AM on September 3, 2011 [3 favorites]
Well how about that, the corporate response is sleazy as hell:
On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. [So they claim, but they did not tell anyone before this week.]posted by shii at 3:01 AM on September 3, 2011
Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. [This press release was only issued on August 31, after an Iranian publicized the hacking on Twitter which caused Mozilla to revoke the certificate and drew the focus of the world media.]
The attack was targeted solely at DigiNotar's Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised. DigiNotar stresses the fact that the vast majority of its business, including his Dutch government business (PKIOverheid) was completely unaffected by the attack. [As far as they know.]
VASCO expects the impact of the breach of DigiNotar’s SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000. VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans. ["Our entire business is based on security, and this has been compromised. Don't worry, we're going to keep on making money."]
VASCO offers Dutch Government Joint Approach of Diginotar Incident
posted by finite at 3:52 AM on September 3, 2011
OAKBROOK TERRACE, Illinois and ZURICH, Switzerland – September 02, 2011 – VASCO Data Security International, Inc. (Nasdaq: VDSI; www.vasco.com) today announced that it has invited the Dutch government to jointly solve the DigiNotar incident. As part of its proposal, VASCO invites the Dutch Government to send staff to work together to jointly assess and remedy the problem.?!
“It is our firm belief that cooperating with VASCO is the right decision for the Dutch Government. We are convinced that together we will solve this issue,” said Ken Hunt, VASCO’s Chairman & CEO.
posted by finite at 3:52 AM on September 3, 2011
All major browsers quickly released updates and revoked the DigiNotar root CA certificate.
Except Apple and Safari.
Safari/Mac users can manually delete the DigiNotar certificate through their Keychain Access utility.
posted by Thorzdad at 3:59 AM on September 3, 2011
Except Apple and Safari.
Safari/Mac users can manually delete the DigiNotar certificate through their Keychain Access utility.
posted by Thorzdad at 3:59 AM on September 3, 2011
Note that it's important to actually DELETE the certificate if you're on OS X. There are instructions out that say to just mark it untrusted, but there's a bug in Safari that renders this partially futile. If a provider is using Extended Validation certificates, the browser uses a different internal trust chain model, and does not actually check trust permissions on certificates in your root store. If it's in there, it's trusted for EV certs, no matter what your manual trust settings are.
Completely deleting the DigiNotar cert prevents the problem.
posted by Malor at 4:14 AM on September 3, 2011
Completely deleting the DigiNotar cert prevents the problem.
posted by Malor at 4:14 AM on September 3, 2011
Malor: Lots of us are having problems there. There's no obvious way to delete it.
posted by edd at 4:21 AM on September 3, 2011
posted by edd at 4:21 AM on September 3, 2011
« Older wait I just | From Our Own Correspondent Newer »
This thread has been archived and is closed to new comments
I was actually kind of shocked at just how many CAs were pre-installed in my browser. It's kind of ridiculous.
posted by delmoi at 12:40 AM on September 3, 2011 [4 favorites]