Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch Government Revokes Diginotar Certificates

Posted by timothy on from the now-you've-done-it dept.

An anonymous reader writes "After previously claiming that the Iranian hack of CA Diginotar did not compromise certificates of the Dutch government, it has now been decided that there is too much risk and the certificates will have to be revoked after all (original Dutch text). Since the Dutch government has been using only Diginotar-supplied certificates, this will leave all government websites with invalid certificates while a new supplier is being searched for. The minister of internal affairs recommends people not to use the websites if a warning about an invalid certificate appears." Related: Reader TheAppalasian links to Johnathan Nightingale of Mozilla Engineering explaining in clear terms why DigiNotar should no longer be trusted.

6 of 78 comments (clear)

  1. Thank goodness it is not tax season by Killjoy_NL · · Score: 3, Insightful

    Since we have to use the sites to send in our digital tax forms, that would have been a way bigger mess.

    --
    This is the sig that says NI (again)
  2. Overview by Anonymous Coward · · Score: 5, Informative

    If you haven't been following this story, Gerv (one of the Mozilla people directly dealing with this) has a good overview post with something of a timeline, hitting all the salient points about just how much DigiNotar has fucked up.

  3. For Mac Users by plsuh · · Score: 2

    Apple is behind the curve on this, almost certainly due to a bug in the handling of Extended Validation certificates that needs to be fixed. Until then, I have info and tools on my web page to help users with the problem.

    http://ps-enable.com/articles/diginotar-revoke-trust

    --Paul

  4. Re:Untrust Diginotar by iceperson · · Score: 3, Informative

    Yeah, it's super hard in windows...
    http://www.microsoft.com/technet/security/advisory/2607712.mspx
    All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certificate authority. There is no action required for users of these operating systems because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.

    I don't have an XP box here to look at, but I'm pretty sure you can get to the Trusted Root Cert Authorities by going IE >Internet Options > Content > Certificates > Trusted Root Cert Authorities, doubleclick DigiNotar and uncheck all.

  5. Re:Crypto is hard by pe1chl · · Score: 5, Insightful

    This was probably mainly said because DigiNotar itself publishes a FAQ that basically says "when the browser says the certificate is not to be trusted you must select the option to trust it anyway because 99.9% of the certifcates are to be trusted".
    The Dutch government wants to warn citizens that this is very bad advise from DigiNotar, and that sites should never be used when this warning appears.
    In fact there is a campaign from banks to warn users that they should always take attention to certificate warnings, and any official advise to ignore them is to be considered a very bad thing.

    Of course DigiNotar does not understand "trust" at all. In their FAQ and press releases they apparently have the opinion that trust in the certificates is something they define themselves, while of course trust is something the user grants to the CA. When the user no longer trusts the CA, the CA is finished no matter how many times it declares that it is to be trusted.

    But DigiNotar is not interested in the users or the victims of their actions. They are only interested in their own company and its revenues. This was already clear in the first press release they did, where they dared to include a paragraph that downplayed the effect of all this on their revenue and share value.
    Let's see how this works out in practice. My prediction is that it will be worse than they claim.

  6. Re:Another reason not stated by Mozilla... by Rich0 · · Score: 2

    Yup. SSL is really messed up. The best fix would be to just put certs in DNS and protect it with DNSSEC. Then you have a hierarchical system for managing them that doesn't cost anything that people aren't already paying. You could still allow for CAs when you need to add some level of real-world identification, or maybe the domain registries could provide this service (so it would be an attribute of the domain one level higher). However, the main threat is from MITM and domain-only checks are generally good-enough for that.

    But, if we have to stick with the current system if I were a browser vendor I'd:

    1. Include a CRL in my app for the root CAs. I'd control that CRL. So, when I need to revoke a root cert I just publish that on the CRL and I don't need to hard-code it in some kind of software upgrade.

    2. My browser would fail-safe on CRLs. The CRL would have to publish a new serial number hourly. The browser would cache the last serial number seen. Every cert is checked at time of access, and if the CRL doesn't respond or gives me an expired serial number or anything else that is fishy then the cert is considered revoked. Sure, that is a pain, but right now you just need to block access to a CRL and browsers just dumbly go along with it. The browser would also cache system time in GMT and ask the user what to do if it jumps backwards to reduce the risk of clock attacks.

    The whole system just needs to be a lot more paranoid. With the current design that would also make it a lot less reliable. The fix to that is to just use DNSSEC - if you can't look up the DNS record for a host you're not going to connect to it anyway.