Slashdot Mirror

← Back to Stories (view on slashdot.org)

Diginotar Responds To Rogue Certificate Problem

Posted by samzenpus on from the our-bad dept.

An anonymous reader writes "Vasco, the owner of the DigiNotar CA implicated in the MITM attacks on Iranian Google users has responded to their fraudulently issued certificate problems. The press release reads: 'On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate'. It is not clear whether the latter certificate is the one used in Iran, or whether other certificates remain at large. I guess removing the root certificate from browsers is the correct response."

20 of 177 comments (clear)

  1. So they don't know... by iCEBaLM · · Score: 3, Insightful

    ... how many forged certs are now in the wild? Nuke the CA, they are incompetent.

  2. In Firefox 6 by janeuner · · Score: 4, Informative

    1) Options -> Advanced -> Encryption -> View Certificates
    2) In the Certificate Manager window, click the Authorities tab.
    3) Scroll down to DigiNotar.
    4) Delete or Distrust the "DigiNotar Root CA" certificate.

    1. Re:In Firefox 6 by GameboyRMH · · Score: 2

      And do the same for Comodo while you're at it.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:In Firefox 6 by janeuner · · Score: 3, Informative

      In short, Comodo has issued fraudulant certificates for Google Mail, Yahoo, and a couple other high traffic sites. Gameboy is correct - nuke both of these CAs immediately.

    3. Re:In Firefox 6 by Anonymous Coward · · Score: 2, Interesting

      Unfortunately, this doesn't entirely fix the issue. Diginotar has certificates that have been cross-signed, meaning they can be used as intermediates in a chain rooted by another CA.

  3. Crazy Response to Attack by Rich0 · · Score: 2

    We REALLY need a better way to handle root CAs.

    First, there should be one list of CAs for the system - not one for every application on the system. Why should Firefox, Thunderbird, Chrome, IE, and who knows what else all have an embedded list?

    Second, that list should be easy to update without having to download new copies of all your software.

    Ideally, that list should have its own CRL of sorts - so that automated revokes of root CA certificates can be done with a simple process. That should be a fail-safe mechanism - if the CRL can't be authenticated in some period of time, then a warning is displayed or all certificates relying on that CRL become invalid.

    1. Re:Crazy Response to Attack by janeuner · · Score: 2

      I disagree. I trust public CAs for web browsing. I trust my company CAs for company email.

      The reverse of this is not true.

      TBH, we should have certificate stores for each application. In a perfect world, I should install my bank's certificate as a trusted certificate, and distrust Thawte, Verisign, etc when visiting mybank.com. But alas, that is hard.

  4. Re:Wasn't a forged certificate a big part of Stuxn by Z00L00K · · Score: 2

    DigiNotar CA is now removed from my list of trusted root CA:s.

    I propose that all web browsers and other application should do the same since it's not certain how many compromised ones there are out there.

    Or that the private key for the root CA was kept safe.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  5. Re:Already done by Anonymous Coward · · Score: 2, Informative

    check their site, they sign their own certificate ::

    https://www.diginotar.com/Products/ExtendedValidationSSL/tabid/622/Default.aspx

  6. To whom it make concern: by fuzzyfuzzyfungus · · Score: 5, Insightful

    We at Vasco love the passive voice more than our own mothers. Also, all appearances to the contrary, we aren't colossal fuckups because, when we colossally fucked up, we "acted in accordance with all relevant rules and procedures"(this apparently didn't include mentioning that there had been an issue). Thankfully, we hire external auditors who operate well on our level of understanding, so they didn't reveal the embarrassing scope of our failure. After somebody else entirely did our job for us, we finally got around to cleaning up what of our mess was still within the realm of fixable(sorry, Iranian Gmail users, hope you weren't doing anything seditious..)

    So, is there any reason that this company shouldn't just be sold for scrap now? Their security clearly isn't good enough, their secretive attitude isn't exactly in line with being a 'trusted' certificate authority, and they can't even hire the right outside assistance to help them clean up their own messes. Hell, at this point, my very own FuzzyFuzzyFungus' SporeCert(tm) trust solutions would appear to be a better bet...

  7. Root certs need to be restricted by TLD by Animats · · Score: 4, Insightful

    Currently, root certificates are wildcards, usable for any TLD. They need to be restricted to a single TLD, or a short list.

    Single-nation CAs and government-operated CAs should be restricted to their TLD. For the generic TLDs, ("com", ".net", etc,) the CA/Browser Forum should require the CAs to post a large bond, from which a penalty is forfeited if any improperly issued cert is found. That should get the problem under control.

  8. Too late by slasho81 · · Score: 4, Informative

    Too little, too late. I already removed DigiNotar from my trusted CA list. You should too. In Firefox: Options > Advanced > Encryption > View Certificates > Authorities tab > Find DigiNotar > Edit Trust.

    1. Re:Too late by CyberDragon777 · · Score: 2

      http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

      --
      We both said a lot of things that you are going to regret.
  9. Re:Re comodo by hedwards · · Score: 2, Insightful

    That's because you're a paranoid wingnut. Believe it or not there are some jobs best left to the government. If you genuinely feel that way, Somalia is =========> that away.

  10. Re:Already done by ComaVN · · Score: 2

    A lot of (most?) dutch intra-government traffic uses their certificates.

    See https://loket.amsterdam.nl/ for instance

    --
    Be wary of any facts that confirm your opinion.
  11. Re:This makes it worse! by jesseck · · Score: 2

    So not only did they hide a break-in from the internet at large, including companies (e.g. Google) which were by extension the target, but they also aren't able to tell how many or what kinds of fake certificates got generated by the break-in?

    The way I hear the quote from the summary

    On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure

    is "We found out this week that fraudulent certificates were issued on July 19th..."

  12. In MacOSX by Jeremy+Erwin · · Score: 4, Informative

    open /Applications/Utilities/Keychain Access.app
    Click on System Roots
    Scroll down to DigiNotar Root CA
    Click the "i" icon, or select "Get Info CMD-I"
    Expand the "Trust" node
    For the "When using this certificate"
    Select the "Never Trust" option

    If successful, the info window will now say "This certificate is marked as not trusted for all users"--- and you can browse this site to ensure that the trust is broken.

  13. Re:Re comodo by Archangel+Michael · · Score: 2

    Somalia has no functioning government, and therefore does not protect the LIBERTIES of the individual, which is the purpose of government.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  14. Re:Wasn't a forged certificate a big part of Stuxn by Ossifer · · Score: 2

    If you are still using IE6 you have bigger problems than diginotar...

  15. Don't be silly by Rix · · Score: 2

    Of course some jobs are best left to governments. This just isn't one of them.

    Governments are in the business of spying on people. Sometimes legitimately, sometimes not, but regardless it's not in the interest of the person being spied upon for it to happen, and so governments have no business in the chain of trust. They're near the top of the list of actors we specifically don't trust.