Diginotar Responds To Rogue Certificate Problem

An anonymous reader writes "Vasco, the owner of the DigiNotar CA implicated in the MITM attacks on Iranian Google users has responded to their fraudulently issued certificate problems. The press release reads: 'On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate'. It is not clear whether the latter certificate is the one used in Iran, or whether other certificates remain at large. I guess removing the root certificate from browsers is the correct response."

So they don't know...

[iCEBaLM]

... how many forged certs are now in the wild? Nuke the CA, they are incompetent.

In Firefox 6

[janeuner]

1) Options -> Advanced -> Encryption -> View Certificates
2) In the Certificate Manager window, click the Authorities tab.
3) Scroll down to DigiNotar.
4) Delete or Distrust the "DigiNotar Root CA" certificate.

Re:In Firefox 6

[janeuner]

In short, Comodo has issued fraudulant certificates for Google Mail, Yahoo, and a couple other high traffic sites. Gameboy is correct - nuke both of these CAs immediately.

To whom it make concern:

[fuzzyfuzzyfungus]

We at Vasco love the passive voice more than our own mothers. Also, all appearances to the contrary, we aren't colossal fuckups because, when we colossally fucked up, we "acted in accordance with all relevant rules and procedures"(this apparently didn't include mentioning that there had been an issue). Thankfully, we hire external auditors who operate well on our level of understanding, so they didn't reveal the embarrassing scope of our failure. After somebody else entirely did our job for us, we finally got around to cleaning up what of our mess was still within the realm of fixable(sorry, Iranian Gmail users, hope you weren't doing anything seditious..)

So, is there any reason that this company shouldn't just be sold for scrap now? Their security clearly isn't good enough, their secretive attitude isn't exactly in line with being a 'trusted' certificate authority, and they can't even hire the right outside assistance to help them clean up their own messes. Hell, at this point, my very own FuzzyFuzzyFungus' SporeCert(tm) trust solutions would appear to be a better bet...

Root certs need to be restricted by TLD

[Animats]

Currently, root certificates are wildcards, usable for any TLD. They need to be restricted to a single TLD, or a short list.

Single-nation CAs and government-operated CAs should be restricted to their TLD. For the generic TLDs, ("com", ".net", etc,) the CA/Browser Forum should require the CAs to post a large bond, from which a penalty is forfeited if any improperly issued cert is found. That should get the problem under control.

Too late

[slasho81]

Too little, too late. I already removed DigiNotar from my trusted CA list. You should too. In Firefox: Options > Advanced > Encryption > View Certificates > Authorities tab > Find DigiNotar > Edit Trust.

In MacOSX

[Jeremy+Erwin]

open /Applications/Utilities/Keychain Access.app
Click on System Roots
Scroll down to DigiNotar Root CA
Click the "i" icon, or select "Get Info CMD-I"
Expand the "Trust" node
For the "When using this certificate"
Select the "Never Trust" option

If successful, the info window will now say "This certificate is marked as not trusted for all users"--- and you can browse this site to ensure that the trust is broken.