Slashdot Mirror

← Back to Stories (view on slashdot.org)

(Possible) Diginotar Hacker Comes Forward

Posted by timothy on from the have-in-my-hand-a-list-of-names dept.

arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"

2 of 215 comments (clear)

  1. Re:Honest question: by bill_mcgonigle · · Score: 3, Interesting

    And Mozilla gave these jokers a pass while raking CACert across the coals.

    That distinction is very instructive as to the real motivations of the PKI industry.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. The difference between CACert and DigiNotar by frehe · · Score: 4, Interesting

    I love this comment from Mozilla's Nelson Bolyard in that thread:

    I have no opinion about the worthyness of the particular CA being proposed in this bug. I don't know who it is yet. But my question would be:

    Does webtrust "attest" to this CA?

    I think that should be one of the criteria. PKI is about TRUST. All root CAs that are trusted for (say) SSL service are trusted EQUALLY for that service. If we let a single CA into mozilla's list of trusted CAs, and they do something that betrays the publics' trust, then there is a VERY REAL RISH that the public will lose ALL FAITH in the "security" (the lock icon) in mozilla and its derivatives.

    We don't want that to happen. If that happens, mozilla's PKI becomes nothing more than a joke. If you want to see mozilla's PKI continue to be taken seriously, you will oppose allowing unattested CAs into mozilla's list of trusted root CAs.