Slashdot Mirror

← Back to Stories (view on slashdot.org)

Diginotar Responds To Rogue Certificate Problem

Posted by samzenpus on from the our-bad dept.

An anonymous reader writes "Vasco, the owner of the DigiNotar CA implicated in the MITM attacks on Iranian Google users has responded to their fraudulently issued certificate problems. The press release reads: 'On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate'. It is not clear whether the latter certificate is the one used in Iran, or whether other certificates remain at large. I guess removing the root certificate from browsers is the correct response."

4 of 177 comments (clear)

  1. So they don't know... by iCEBaLM · · Score: 3, Insightful

    ... how many forged certs are now in the wild? Nuke the CA, they are incompetent.

  2. To whom it make concern: by fuzzyfuzzyfungus · · Score: 5, Insightful

    We at Vasco love the passive voice more than our own mothers. Also, all appearances to the contrary, we aren't colossal fuckups because, when we colossally fucked up, we "acted in accordance with all relevant rules and procedures"(this apparently didn't include mentioning that there had been an issue). Thankfully, we hire external auditors who operate well on our level of understanding, so they didn't reveal the embarrassing scope of our failure. After somebody else entirely did our job for us, we finally got around to cleaning up what of our mess was still within the realm of fixable(sorry, Iranian Gmail users, hope you weren't doing anything seditious..)

    So, is there any reason that this company shouldn't just be sold for scrap now? Their security clearly isn't good enough, their secretive attitude isn't exactly in line with being a 'trusted' certificate authority, and they can't even hire the right outside assistance to help them clean up their own messes. Hell, at this point, my very own FuzzyFuzzyFungus' SporeCert(tm) trust solutions would appear to be a better bet...

  3. Root certs need to be restricted by TLD by Animats · · Score: 4, Insightful

    Currently, root certificates are wildcards, usable for any TLD. They need to be restricted to a single TLD, or a short list.

    Single-nation CAs and government-operated CAs should be restricted to their TLD. For the generic TLDs, ("com", ".net", etc,) the CA/Browser Forum should require the CAs to post a large bond, from which a penalty is forfeited if any improperly issued cert is found. That should get the problem under control.

  4. Re:Re comodo by hedwards · · Score: 2, Insightful

    That's because you're a paranoid wingnut. Believe it or not there are some jobs best left to the government. If you genuinely feel that way, Somalia is =========> that away.