Domain: diginotar.nl
Stories and comments across the archive that link to diginotar.nl.
Comments · 7
-
Re:Certificate revocation
Certificates can be revoked by putting them on the certificate revocation list. The OCSP protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.
OK sounds cool. I can't be bothered to try it out myself, I'll take your word for it. But if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??
Maybe because security.OCSP.require isn't enabled yet in your browser (the default) and MitM attacks can return fake "unavailable" responses to CRL-lookups?
-
Re:Certificate revocation
Certificates can be revoked by putting them on the certificate revocation list. The OCSP protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.
OK sounds cool. I can't be bothered to try it out myself, I'll take your word for it. But if there's such a revocation system, why do we still need browser or even OS updates to deal with this issue??
-
Re:Certificate revocation
Certificates can be revoked by putting them on the certificate revocation list. The OCSP protocol is analogous. Here, try it yourself: http://validation.diginotar.nl/ - get an OCSP client (IE7+, FF3+, Chrome, etc do it automatically) and try to authenticate any of the fraudulent certificates.
Somebody getting a hold of the private keys for the CA itself is a bigger problem - keys can be signed by the attacker faster than they can be revoked. I haven't heard that that's the case - just that fraudulent certs were made, presumably through the same semi-automated process that everybody else uses.
I don't know if there's a way to revoke a CA cert (that is, *all* certificates signed by a certificate). But that doesn't seem to be required here, so the standard revocation procedure works.
-
Re:Untrust Diginotar
Mozilla already released updates to Firefox (3.6.21 and 6.0.1) to distrusts all DigiNotar certificates.
Test here: https://www.diginotar.nl/
Firefox: sec_error_revoked_certificate
-
Untrust Diginotar
At this point, everyone should remove the trust for the Diginotar Root CA. I guess most people know how to do this around here, but just for informative purposes:
First, visit their web site to ensure their root certificate is in your certificate store:
https://onlineaanvraag.diginotar.nl/Digiforms/StartPage.aspx?FORM_ID=12
On Mac OS X go to Applications, Utilities, open Keychain Access. Click on System Roots, then find the "Diginotar Root CA". Select it then do CMD-I. Open the Trust Panel and choose "When using this Certificate Never Trust" instead of System Defaults. Close the window, enter an admin password and close Keychain Access.
On Windows it's a bit more complex (no, really?). Start, Run, mmc.exe, OK. Confirm UAC if under Windows 7 with admin password if required. If you're under Windows XP, relog to an administrator account first. Then go to File, Add/Remove Snap-in, find the Certificates snap-in, click on it, then add. Select the Computer Account and local computer. Then open Trusted Root Certification Authorities, Certificates, find the "DigiNotar Root CA", right-click on it, properties and choose "Disable all purposes for this certificate".
Make sure you don't delete the certificate, as it would just get re-approved.
-
In MacOSX
open
/Applications/Utilities/Keychain Access.app
Click on System Roots
Scroll down to DigiNotar Root CA
Click the "i" icon, or select "Get Info CMD-I"
Expand the "Trust" node
For the "When using this certificate"
Select the "Never Trust" optionIf successful, the info window will now say "This certificate is marked as not trusted for all users"--- and you can browse this site to ensure that the trust is broken.
-
Re:Already done
I just removed the trust setting from this CA in my browser. So can anyone else. Anyone know a site for which they've issued a cert to test and see if this actually makes any difference?
Their own (it just redirects to the non-SSL site, but that should be sufficient for you).