(Possible) Diginotar Hacker Comes Forward

arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"

Weakest link

[Errol+backfiring]

Yep. Our whole security system is exactly as strong as the weakest link.

Re:Weakest link

[houstonbofh]

And crap like this is why I don't understand why my browser has to go apeshit over self singed cirts. "Oh My God! You may be at risk because this cirt was MADE BY SOMEONE WITH A CLUE!"

Re:Weakest link

[drolli]

A good security system is not as weak as the weakest link.

Re:Weakest link

[arglebargle_xiv]

And crap like this is why I don't understand why my browser has to go apeshit over self singed cirts.

The browser is acting as a food critic. Everyone knows cirts should be cooked rare, not singed. That just spoils the flavour.

Re:Weakest link

[houstonbofh]

Can you find me 5 people that have never broken the "cup holder" that believe our current system is a "good security system?"

Re:Weakest link

[grnbrg]

A clue about making a certificate that's worthless against MITM attacks? Congratulations on identifying yourself as completely fucking clueless.

You better get in touch with all the admins running their ssh daemons with self-generated (and unsigned!) host keys! How could such a gaping vulnerability be missed?!

Re:Weakest link

Why don't you have the admin's sig added to the authority list in the browser then? You know, actually tell the browser that this signatory is OK instead of expecting it to not warn people in a situation which 95% of the time is a massive security hole?

Re:Weakest link

[heypete]

You are, I trust, aware that there are CAs out there that offer free (or very nearly free) certificates that are widely trusted by browsers, and so won't annoy users with annoying warnings. Why not use those?

Re:Weakest link

[heypete]

SSH is not as widely used by the general public, who has little knowledge of security, and wouldn't know how to verify a key fingerprint (or understand why they needed to do so) if asked.

Re:Weakest link

[Junta]

This is a huge deal because for browsers/libraries that do not refresh CA certificates promptly, some select population of people can reduce all certs to as bad as self-signed certificates.

Saying self-signed certs are somehow better than certs signed by a compromised CA is rather silly.

Re:Weakest link

[grnbrg]

You missed the point -- parent post suggests that self-signed certificates don't prevent MITM attacks.

ssh doesn't even bother to sign the host keys (certificates), and it does quite well in preventing them.

For that matter, even the current implementation of browsers prevents MITM attacks with self-signed certs.... If I connect to a site with a SS cert, I get a warning about it, and whitelist that cert. If I come back some other time, and there is a new self signed cert, I get the warning again. Since I know I already whitelisted that site, I'm going to dig a bit to find out why the cert changed.

Re:Weakest link

[Junta]

How could such a gaping vulnerability be missed?!

It is a vulnerability and it hasn't been missed: http://tools.ietf.org/html/rfc4255

SSH should have done x509 from it's inception with self-signed as default. No worse than current state of things with a great opportunity to do better.

Re:Weakest link

[Jawnn]

I don't care if he singes things himself or not, but I am a bit concerned over this "cirt" thing. It sounds like it could be painful if singed.

Re:Weakest link

[Junta]

No, I really am not concerned with MITM attacks on my own LAN, and in the VPN network.

That's a particularly special case, sounds like you are accessing a remote work server from home using a technology explicitly designed to be unobtrusive and by extension indistinguishable from any other internet connection. Not exactly the scenario where a browser can reasonably detect and change behavior even *if* it were a good idea. Of course, a number of VPN client rely upon DNS and SSL certificates to initiate the connection, so a MITM during VPN connection establishment is not entirely out of the question. Put another way, If you were so confident in the VPN providing all the security, why use https at all?

for a cirt that still does not stop MITM attacks.

Has anyone analyzed how many browsers already have updates invalidating DigiNotar authority or discussed if DigiNotar has a functional OSCP that is returning accurately? The system when used *as designed* does stop MITM attacks. This is the first widespread compromise of a CA that I can recall, and I expect already many users are in browsers that already distrust the compromised key. I suspect most people will have updated their CA certs without even being aware of this incident within a few months. So it does stop MITM attacks.

Re:Weakest link

[Junta]

The problem is that our current system may not in practice *be* a 'good security system', but if implemented correctly it *would* be.

The challenge is this will undoubtedly hold true for any proposed alternative implementation strategy, making churning the underlying technology an exercise in futility unless you fix the aspects preventing the x509 system from working as designed.

Re:Weakest link

[vadim_t]

Yes, but how do you know whether the first self-signed cert you got is a good one?

With SSH CAs are not needed because somebody else is acting as the CA, either yourself when you're accessing your own system, or whoever is giving you access to theirs. And SSH is only really secure if you actually bother to compare fingerprints.

Re:Weakest link

[houstonbofh]

Has anyone analyzed how many browsers already have updates invalidating DigiNotar authority or discussed if DigiNotar has a functional OSCP that is returning accurately? The system when used *as designed* does stop MITM attacks. This is the first widespread compromise of a CA that I can recall, and I expect already many users are in browsers that already distrust the compromised key. I suspect most people will have updated their CA certs without even being aware of this incident within a few months. So it does stop MITM attacks.

Second big one, but I can't find a link to the first. (Google is flooded with this one...) And it does not matter if you have a condom for every partner but that one with AIDS. http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity SSL is not secure, and has not been for a while. The fact that it is going public now is a lag behind the lack of security.

Re:Weakest link

[houstonbofh]

Not what I am saying. I am saying that self signed cirts are not the evil that modern browsers make them out to be, and official CAs are not the paragon of security.

Re:Weakest link

[Errtu76]

Please, for the love of Diginotar, at least say 'certs' if you want to abbreviate 'certificates'.

Re:Weakest link

[black+soap]

It looks like in this case "our whole security system was the weakest link."
Or maybe "Our whole security system was their security system, which was the weakest link."

Re:Weakest link

[amorsen]

You could easily have ended up with the undeployable mess that is self-signed IPSEC certificates. Sometimes it is best to be careful what you ask for, you might get it.

Re:Weakest link

[Pieroxy]

Last time I stumbled over a comment like this I asked for a link. I was given one, and pretty much all of the pages served me errors and other crap... I could not even click on "order".

So, do you think you can provide me with a link to such a CA that would be both free and functional ?

Re:Weakest link

[Hatta]

Why are you using SSL on your home LAN in the first place? If it's impossible for anyone to have access to your LAN, then you don't need encryption. If it's possible an attacker is on your LAN then self signed certs just give you a false sense of security.

Re:Weakest link

[Junta]

http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity

This article is intelligent and correctly identifies the issues and puts them in accurate context in the face of hordes of people mindlessly saying 'DNSSEC fixes all'. The problem is not the technology, but the politics and laziness that distorts the use of the technology. I doubt any approach can be dreamed of that wouldn't, in practice, be perverted in implementation. Self-signed certs are simply worse. You can manage it intelligently, by having a private CA for your organization and distribute the certificate, defining the trust anchor yourself.

SSL is not secure, and has not been for a while.

'Secure' is not a boolean. SSL is 'secure' by some criteria, not by others. SSL can be much more secure than the common implementation today, and my doubt is whether a technical approach exists that would do better than SSL in the face of the same non-technical circumstances watering down SSL security.

Re:Weakest link

[houstonbofh]

SSL is not secure, and has not been for a while.

'Secure' is not a boolean. SSL is 'secure' by some criteria, not by others. SSL can be much more secure than the common implementation today, and my doubt is whether a technical approach exists that would do better than SSL in the face of the same non-technical circumstances watering down SSL security.

This is the heart of my argument. Self signed certs are also secure in a specific set of circumstances. But they set of every alarm in the typical browser. The difference of the behavior in a browser between "official" cirts and self signed cirts is far more than the difference in security. (In many situations)

Re:Weakest link

[houstonbofh]

Never said home. I said "My own LAN" and it is on all the network web config pages.

Re:Weakest link

[justforgetme]

I got a free cert from startsll quite easily.

I know it's credential chain is not big/cool/long or anything useful to busyness men in a meeting room, but for creating a secure tunnel between a server and a browser I believe it's quite good enough. It definitely is better than teaching the merits of public key crypto to every visitor of your domain. Oh and yes their UI royally sucks..

In general:
if you want customer assurance go with the big names/pricetags
if you just want a tunnel go with the first dude who is trusted by the browsers and will give it to you for free or almost free.
if only you and your pals are going to use it sign something yourself and get out of the trouble of manouvering around buggy cert UIs.

Re:Weakest link

[Jeremy+Erwin]

And some of those CAs may have decent security. Some. Not all.

Re:Weakest link

[tftp]

Saying self-signed certs are somehow better than certs signed by a compromised CA is rather silly.

Is it?

Self-signed certificate: you have no idea who created it, and you tread lightly.

CA-signed certificate: you are absolutely sure that you know who owns the Web site, and you gladly open the kimono.

As you can see, a fake CA-signed certificate is far more dangerous than a no-name certificate.

However it must be said that WoT is not a perfect solution either. It will be a more expensive solution, that's for sure. Instead of one signature of a trusted party you need tens of signatures of less trusted parties - and a fake trust can creep somewhere between those signatures. Most of signers will not be known, personally or otherwise, to a common Web user, so trust in entities is not going anywhere. The only difference is that several poorly trusted entities are required to validate a key instead of one poorly trusted entity.

Re:Weakest link

[muckracer]

> > And crap like this is why I don't understand why my browser has
> > to go apeshit over self singed cirts.

> A clue about making a certificate that's worthless against MITM
> attacks? Congratulations on identifying yourself as completely
> fucking clueless.

And this as comment in an article about a compromised CA, forged "offical" and "trusted" certs...perfect for MITM's. Congratulations yourself!

Re:Weakest link

[Junta]

My impression was there was a desire declare CAs worthless and you should trust self-signed *more* than CA-signed, which is a bad knee-jerk reaction.

In terms of 'treading lightly' on self-signed certs, that's pretty optimistic view of human behavior. If the world overnight became self-signed, the treading lightly would evaporate quickly.

Multiple CA signatures seems like a good idea.

Re:Weakest link

[tftp]

Multiple CA signatures seems like a good idea.

If CAs sign new certificates without checking much, do you think they'd be checking anything at all to add a signature to an existing certificate?

The whole problem stems from the fact that CA companies are full of people who cut corners. People always made mistakes, and they will be making more mistakes until a computer replaces them. You can't fix that by adding more bad CAs into the mix - out of several signers it will be always "the other one" responsible. At least with one CA they have an incentive to remain honest (the future of DigiNotar is probably not very exciting.)

Servers run by Diebold

[cvtan]

Clearly they were using voting machines for web servers. That explains everything. Oblig: http://xkcd.com/463/

"No antivirus software was present"

[Neil_Brown]

on Diginotar's servers

Is this uncommon? Do most (sane) administrators run anti-virus on each of their servers?

Re:"No antivirus software was present"

[imroy]

Do most (sane) administrators run anti-virus on each of their servers?

I guess you do if you're running Window servers, which apparently Diginotar were.

Re:"No antivirus software was present"

[somersault]

If they're Windows servers, then yes..

Re:"No antivirus software was present"

[gmuslera]

Is debatable if running windows in critical servers is something that sane administrators would do. sane administrators shouldt need to run antivirus in their servers, either because run something safer or know enough to avoid running into that risks.

Re:"No antivirus software was present"

[jhoegl]

Only if multiple people have access, or there are user files stored on it would i need anti-virus.

If you are the only one that has access, no user files are stored, and it performs simple tasks... probably not needed.

See, what people who think Anti-virus is important dont seem to understand is that it wont protect against vulnerabilities, nor against 0 day. It is a false sense of security for the senseless. I can run for years without anti-virus and never get a virus. How would I know if I dont have an antivirus, that I dont get viruses? I dunno... how do you know you dont have a virus even with anti-virus?

You see, anti-virus is really the user being smart enough to understand what they are doing, and understand anomalies of the system they are working on.

Re:"No antivirus software was present"

[UnknowingFool]

While your points on 0 day bugs is true, in this case, the malware would have been detected by current AV software. AV software is no magic pill that will solve all security problems however I don't understand why the company didn't use it.

Re:"No antivirus software was present"

[confused+one]

Well, according to Netcraft, 15% of the web is run on IIS. That's potentially a lot of insanity.

Re:"No antivirus software was present"

[BLKMGK]

How would that have worked? A CA is responsible for pumping out certs, for a fee, all day every day as well as verifying existing certs. If you think that this isn't done in an automated fashion by every CA out there then you don't understand the volume! All this guy did was break in and get the CA to do what it's normally setup to do and bypass the checks that would normally prevent the action. An air gap isn't reasonable in this scenario and I bet no other CA has one either. Personally I'm not surprised that this was done and if Iran had had a CA like Russia and China do then he might not have needed to bother.

Re:"No antivirus software was present"

[Enderandrew]

I'd contend that you're betting running anti-virus on Windows servers than running without it, but at the same time I think far too many people see it as a crutch.

Most anti-virus software scans files already in your system against a list of known infections. It is far too easy to fuzz past detection, not to mention that it can't protect against the latest unknown infections.

The best protection is proper sandboxing and security policies. Don't let anything in unless you have to. Don't trust anything.

And honestly, I'm pretty disappointed that a company that signs certs was running Windows servers in the first place.

Re:"No antivirus software was present"

[Ja'Achan]

Do them once a day? Why would you need a certificate within 15 minutes?

Re:"No antivirus software was present"

[BLKMGK]

Because maybe your competitors do it that fast? Want to bet they aren't much different than any other CA in this regard?

And even if this was air-gapped somehow - why does anyone think the request wouldn't have gone right through with the other thousand(s?) or more requests bulk shipped through? How exactly would that have helped? The guy didn't *just* create a cert - he pushed it through their entire system including their databases that affirm it when a revocation is checked.

Really all it seems like he needed to do was bypass any checks in their system to prevent a dupe cert from being created, bypass some payment stuff maybe, and insert his request into the queue - all of the backend processing and firewalling in the world wouldn't have said Boo! if the request looked legit. Air-gapping this would have done nothing but slow business for this CA and *NOT* have stopped this "attack".

How exactly would an air-gap have changed the outcome?

Re:"No antivirus software was present"

[Kalriath]

Considering the target of most of that type of attack actually is Linux/BSD servers, it's quite reasonable to expect you'd have antivirus (or better, Intrusion Prevention Systems) on them. With PCI in play, it's even required. ClamAV is free and does the job well enough I'm led to believe.

Fear the mighty script kiddy

[jellomizer]

We need to stop giving these "Hackers" such press. Oh they broke into a insecure system. They must be real Computer Geniuses. There should be far more press about the state of the hacked sites security, and less on those actual hackers. The hackers are just some dumb kids who did some quick searching around and got some silly tools. The real story is that such organizations have such a poor security.

Re:Fear the mighty script kiddy

[cpscotti]

I kind of agree with you on the press thing but saying they are "just silly kids" is a bit too far. You mention the obscure term "silly tools", but then WHO makes the SILLY tools? And what makes you think that whoever built the SILLY TOOL is not using it.

It's not that simple. If it was that simple the "mafias/organized crime" would dominate this "for profit". If you really don't acknowledge that some of this kids work HARD and are indeed quite skilled than I'll assume you have never tried hacking anything while a teenager and that you don't use online banking.

Some of these kids are indeed brilliant. Admiring them or not is the only matter here.

Re:Fear the mighty script kiddy

[jellomizer]

No I wouldn't go that far.
"Organized Crime" wouldn't dominate because there isn't much money/risk for hacking. A single person may make a good living but organized crime has resources and wouldn't be profitable. And for the most part hackers are able to take a site down and create damage but not really get anything really valuable out of it. It would be like the mafia going around knocking down people mailboxes just for the sake of it.

Those tools while made by someone who isn't a complete idiot, But the tools they get they can probably figure out rather quickly. Then cause damage. Ok they are not idiots but they are not super smart.

Re:Fear the mighty script kiddy

[erroneus]

It's not the hacker that is the story, but the light on the security situation at large. That a script kiddy was able to do this adds to the embarrassment. Unfortunately, most people will not understand this fact and will instead seek to destroy all script kiddies. ... this is the same mentality in the medical world that has led to the unintentional creation of MRSA. The over-use and dependence on killing everything that might be a germ has bred superbugs. And these days, they are also seeking to destroy all 'hackers' rather than seeking to manage the security of the networks better.

Re:Fear the mighty script kiddy

[BLKMGK]

Umm, this "kid" was able to pump out certs from a CA that could potentially have allowed a great deal of damage. He didn't just break in and deface the system, he broke in and got around the systems that were in place to prevent these kinds of certs from being produced - unless you think this CA didn't know that Google and Microsoft were already rooted elsewhere.

As for not being able to do more than damage.... what do you call having a database of credit cards stolen? SSNs? Credit card PROCESSING systems? That's not damage? You think organized crime isn't doing that?

Re:Fear the mighty script kiddy

[Enderandrew]

Admiration is the problem.

You gain more fame for hacking a system than you do for discovering the same vulnerability and quietly patching it. I know companies like Google offer bug bounties, but what if they gave awards and more public recognition?

Re:Fear the mighty script kiddy

[Doctor_Jest]

I think this kid's a distraction. It's rather like a "hey look over here!" while someone else is picking your pocket.

Organized crime isn't advertising. They aren't in it for the "LULZ" or whatever. They are conducting "business" and in the process of conducting that business, they put up distractions like this person who claims responsibility (or allow this person who is totally bogus but in it for the fame) to deflect interest in looking at them as the culprit.

"Virtual sleight of hand".... for lack of a better term, I guess. :)

Re:Fear the mighty script kiddy

[Nyder]

We need to stop giving these "Hackers" such press. Oh they broke into a insecure system. They must be real Computer Geniuses. There should be far more press about the state of the hacked sites security, and less on those actual hackers. The hackers are just some dumb kids who did some quick searching around and got some silly tools. The real story is that such organizations have such a poor security.

Welcome to the media. Please note, the the "security" companies have money, stockholders, etc, while the "hackers/script kiddies" don't, so guess who's going to get the most attention?

Re:Fear the mighty script kiddy

[rastos1]

The hackers are just some dumb kids who did some quick searching around and got some silly tools.

Oh really? There are now point&click tools that crack CA's floating on the web? Somehow I don't believe that.
Cracking your average home desktop? Yes.
Sending e-mail with attached trojan to clueless secretary in a company with no good IT department? Yes.
Was DigiNotar run by some clueless idiot? Possibly.
Can you come up with a cracked CA within a week? Doubt it.

Re:Fear the mighty script kiddy

[lennier]

I know companies like Google offer bug bounties, but what if they gave awards and more public recognition?

Shouldn't we be more worried about what it says about our industrial quality control processes for software engineering that huge companies like Google and Microsoft apparently can't find the bugs in their own software before they ship, while organised criminal gangs can?

Yes, one solution might be to just let criminals write security-critical software, since they apparently are a lot smarter at doing this than big business. But, um. How about if we invested in ways of actually detecting whether software we write is meeting its specifications rather than relying on accidental discovery?

I know it's a radical, insane, ridiculous idea and a one in a million shot - but it's so crazy it might just work!

Re:Fear the mighty script kiddy

[muckracer]

> The weakest link of CAs is trust.

The weakest link of trust are CA's.

TFIFY!

Re:Fear the mighty script kiddy

[Enderandrew]

This just isn't as trivial as you make it out to be. When you've got software projects with millions of lines of code, it is extremely hard to properly debug that code. Finding all potential security vulnerabilities is even harder. And it isn't like every kid who spends 5 minutes looking finds an exploit. Large numbers of hackers spend lots and lots of time to discover an exploit.

And suggesting that criminals should just write the software is also a flawed premise. It isn't that hackers are inherently smarter than all software developers, though occasionally developers make stupid mistakes. Given enough time and enough people looking, you're going to find exploits in complex software. It is exceedingly difficult to write secure software.

Honest question:

[Haedrian]

How DOES one become a trusted CA? Shouldn't there at least be some sort of procedure to check that they can be trusted?

Re:Honest question:

[tetromino]

Well, here are the requirements for a CA's certificate to be included in Mozilla products. In particular, they require an independent audit of the CA's policies and internal operations. Presumably other browser vendors follow similar procedures.

Re:Honest question:

[DdJ]

How DOES one become a trusted CA?

By social engineering applied to the browser vendors.

Re:Honest question:

[LighterShadeOfBlack]

Also, shouldn't there be ramifications for those who don't take that responsibility seriously, to the point of gross negligence?

Re:Honest question:

[timmy.cl]

You definitely hit the nail! We should establish a new system that proves the CA's are trustworthy. I'd name it CACA*, for Certification Authorities' Certification Authority. Better yet, it should be decentralized, so there should be many independent CACAs all around the world, and every computer out there will have every CACA's certificate installed. This will definitely be the ultimate, perfect, unbreakable trust system.
 
* Pun intended: "caca" is spanish for poop.

Re:Honest question:

[houstonbofh]

Well, here are the requirements for a CA's certificate to be included in Mozilla products. In particular, they require an independent audit of the CA's policies and internal operations. Presumably other browser vendors follow similar procedures.

Now I get it! He was not a hacker, or a cracker. He was an independent auditor!

Re:Honest question:

Maybe it was this auditor.

Re:Honest question:

[bill_mcgonigle]

Nah, sounds more like this one.

Re:Honest question:

[bill_mcgonigle]

And Mozilla gave these jokers a pass while raking CACert across the coals.

That distinction is very instructive as to the real motivations of the PKI industry.

Re:Honest question:

[jafac]

+1 "Truth to power"

Re:Honest question:

[lennier]

How DOES one become a trusted CA? Shouldn't there at least be some sort of procedure to check that they can be trusted?

I think the procedure is "have a quiet chat with the head of the NSA/CIA/MI6, in the queue right after Colonel Gaddafi".

Re:WTF?!

[somersault]

It all made sense to me, and it's useful to know that SSL is less than trustworthy right now.

By the way - you spelled blatantly wrong while saying things were wrong. Ho ho ho.

More details from the Pastebin source

[arglebargle_xiv]

According to the hacker's Pastebin message, one of the other CA's he's 0wned was GlobalSign, a fairly major CA for which it won't be so easy to pull the root certificate as it was for Diginotar. He's also claiming responsibility for the StartSSL breach that occurred a month or two back. GlobalSign have reportedly gone into panic mode. It also includes other details like:

I got SYSTEM privilage in fully patched and up-to-date system, how I bypassed their nCipher NetHSM, their hardware keys, their RSA certificate manager, their 6th layer internal "CERT NETWORK"

as well as their domain admin password Pr0d@dm1n (you can see why Dignotar passed their security audit, they didn't use password1).

Re:More details from the Pastebin source

[cbiltcliffe]

as well as their domain admin password Pr0d@dm1n (you can see why Dignotar passed their security audit, they didn't use password1).

It's got upper and lower case letters, numbers, and special characters. By the rule book, that's a really good password.
But to those of use who understand security on an instinctual basis, which is pretty much what's necessary to make it workable, it's obviously a terrible password.

The organization is the interesting part

[alfredos]

How does an organization that works with moderately complex technology, where security is of the utmost importance, go down such a dark alley so many others have treaded before with foreseeable and dreadful consequences? Point-haired bosses? perhaps appointed by politicians? Too good a business to think about the pillars? Seriously, did they never ever have anyone raise the alarm? What happened if someone did?

Re:The organization is the interesting part

[houstonbofh]

Doing it right costs more money than the PHBs want to spend. At every job I have had, I have gone to management with "This is a bad idea, and it will bite us." Most of the time when we get bit, I do not get the blame. Sometimes, even with the repeated and documented warnings, I get the blame anyway. And soon after, a new job with a, hopefully, more sane company.

Re:The organization is the interesting part

[rjstanford]

Maybe if you'd gone to them with "This is a bad idea, it has a xx% chance every month we're doing it of costing us $$$ in direct fees and around $$$ in indirect bad press. I can rectify it for $ plus $ per month," they'd have taken you up on the suggestion?

Alternately, maybe you would have realized as they did (correctly in some cases, not so in others, I'm sure) that the economics actually supported not fixing the problem?

Re:The organization is the interesting part

[houstonbofh]

I can accept that in many cases. It is when they flip flop later to blaming me for the exact thing I warned them about that I start polishing up the CV.

Re:The organization is the interesting part

[firewrought]

Maybe if you'd gone to them with "This is a bad idea, it has a xx% chance every month we're doing it of costing us $$$ in direct fees and around $$$ in indirect bad press. I can rectify it for $ plus $ per month," they'd have taken you up on the suggestion?

Being able to speak the language of your target audience is a great success skill, especially when that audience is management. What strikes me, however, is that managers should know this better than techies. They (or the appropriate project manager) should be helping to illicit this sort of thought into cost/risk tradeoffs from their subordinates and using this to make sound business decisions. Ultimately, the obligation to identify business risks and implement mitigations lies on management.

Re:The organization is the interesting part

[DrBoumBoum]

Maybe if you'd gone to them with "This is a bad idea, it has a xx% chance every month we're doing it of costing us $$$ in direct fees and around $$$ in indirect bad press. I can rectify it for $ plus $ per month," they'd have taken you up on the suggestion?

I used to be very idealistic too when I was much younger. Ah the good old days :-)

No antivirus software on the server?

[caseih]

May we assume by this finding in the Dutch report that the servers were not running any form of Unix or Linux? In any case I do not see how an antivirus program is going to stop an intrusion.

I used to chuckle when our local credit-card processing system would ask me to ensure that my web server had an up to date antivirus package installed. Rather than out right lie, I explained to them that my web server ran Linux and that they don't run antivirus software, but are kept patched and secured with proper firewall rules and proxy servers, and protected by the IDS at the border of the DMZ.

Anyway, not even sure why they mentioned antivirus software at all. The problem was more systemic. Their entire system did not seem to be built with security in mind. Where was the IDS? Why did the public-facing servers have the CA private certificates on them at all?

Re:No antivirus software on the server?

[ledow]

Worse than that - their all-Windows servers (including the signing server) were all part of the same domain and so all could be logged into with a single set of credentials (which is what the intruder had, by brute-forcing that crappy password) and all joined to the same networks.

Re:No antivirus software on the server?

[tqk]

All major AV firms now have antivirus packages for Linux (Un*x) that offer both realtime (on-access) and on-demand (hand-started) virus scan protection. They protect the Linux OS as well as the Windows people who connect to Samba, Apache etc. from the transmission of malware.

Proving there are admins out there who're highly susceptible to the marketing claims of AV vendors. BS!

I can understand if your *nix box is the SMTP Smarthost or the Samba server for a bunch of user/Win* boxes, that you'd want to try to scrub crap out of incoming stuff before passing it onto the internal LAN/WAN. However, that's got nothing to do with protecting the Smarthost or Samba server.

Good security practices are generally more than capable of protecting *nix boxes, specifically don't allow the server to be connected to except by services its expected to handle and that you've verified are secured. AV just sucks up CPU cycles, provides a false sense of security, and makes AV vendors rich.

Re:No antivirus software on the server?

[StikyPad]

AV just sucks up CPU cycles, provides a false sense of security, and makes AV vendors rich.

Proving there are admins out there who're highly susceptible to the "best practices == invulnerability" fallacy. AV is a lot like insurance in that it may increase overhead with no ROI. But on the other hand, it can mitigate an otherwise catastrophic event, and better than insurance, it can protect against that event rather than cover the costs of cleanup. It's not a silver bullet by any means, but neither is it a wasted effort; it's merely a part of a comprehensive and competent information assurance program.

Re:No antivirus software on the server?

[tqk]

Geez, another one! Q.E.D.

Re:No antivirus software on the server?

[dropadrop]

Why did the public-facing servers have the CA private certificates on them at all?

I don't think that was the case, rather the network was accessed via unpatched public-facing servers. Aparently the subnet (assuming they where not in the same network segment) with the more crucial servers and certs was accessable from those public-facing servers, and authentication was successfull with that joke of a password.

BTW, I would find it quite a strech to say an IDS protects, rather it monitors and notifies of potential problems (unless you mean IPS). However in this case it could have picked up the attack.

Re:WTF?

[ledow]

Because, if you understood anything about PKI, you'd know that all major browsers would have trusted these certificates by default for over a month for sites such as Google, Windows Update and a myriad other popular sites.

And still we don't know what else may have slipped through the net and got certified. The hack was hardly social engineering either - they brute-force cracked Windows domain passwords after gaining entry through compromised web-based servers.

Yes, the CA is an idiot (first, they were running Windows servers in the same domain for certificate generation and day-to-day management, for God's sake!), and they should have noticed... but to the end-user and even associated techies (like the entire Dutch government IT who were trusting these certificates) it's big news.

Next time you go on Google, be thankful your browser has been checking OSCP revocations and hope that you DIDN'T visit Google in the time before the revocations occurred (several weeks).

'Claiming' to be the hacker?

[plover]

Hell, if he really hacked it, he'd have signed the message with DigiNotar's key. He's the only person in this whole debaucle I'd trust to actually have a clue as to how to really use their certificates.

Re:'Claiming' to be the hacker?

[cronius]

He could publish a signed certificate of "ComodoGateHackerOwnsDiginotar.com". Or he could sign a domain name consisting of e.g. a base64 encoded compressed message.

Re:'Claiming' to be the hacker?

[chrb]

As a proof to show that he really did infiltrate DigiNotar, he shares the domain administrator password of the CA network: Pr0d@dm1n. DigiNotar would be able to confirm if this was accurate or not.

Maybe something will come of that...

Re:'Claiming' to be the hacker?

[schuinestreeppunt]

Well, at least the real hacker made sure that this hack would be linked to the Comodo hack:

A script was found on CA server public 2025. The script was written in a special scripting language only used to develop PKI software. The purpose of the script was to generate signatures by the CA for certificates which have been requested before. The script also contains English language which you can find in Annex 5.3. In the text the hacker left his fingerprint: Janam Fadaye Rahbar. The same text was found in the Comodo hack in March of this year. This breach also resulted in the generation of rogue certificates.

Given the date of the publication on pastebin, the person who is now claiming to be the hacker only has proven that he or she has read the report.

Re:'Claiming' to be the hacker?

[shutdown+-p+now]

Hell, if he really hacked it, he'd have signed the message with DigiNotar's key.

The most recent message from the guy gives the following link as a proof:

http://www.multiupload.com/EHI7YZAF4G

with the following explanation:

"I signed windows calculator using Google Cert, you have to have private key of cert to be able to sign calculator. It's enough reason/proof."

epic FAIL

[inode_buddha]

"a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"

 

EPIC FAIL
 

Re:epic FAIL

[jimicus]

Not necessarily, you put Windows onto a domain and all of a sudden you're one person with Domain Admin rights and a stupid password away from having the whole lot compromised.

Throw in the sort of corporate politics that often leads to non-technical senior managers demanding (and getting) domain admin rights and there you go.

Re:epic FAIL

[Thud457]

Throw in the sort of corporate politics that often leads to non-technical senior managers demanding (and getting) domain admin rights and there you go.

That's what honeypots were invented for.

Compromised CAs

[unencode200x]

FTFA:

3.2

Compromised CAs

The attacker(s) had acquired the domain administrator rights. Because all CA servers were members of the same Windows domain, the attacker had administrative access to all of them. Due to the limited time of the ongoing investigation we were unable to determine whether all CA servers were used by the attacker(s). Evidence was found that the following CAs were misused by the attacker(s):-

DigiNotar Cyber CA-
DigiNotar Extended Validation CA-
DigiNotar Public CA - G2-
DigiNotar Public CA 2025-
Koninklijke Notariele Beroepsorganisatie CA-


Stichting TTP Infos CAThe security of the following CAs was compromised, but no evidence of misuse was found (this list is incomplete):-

Algemene Relatie Services System CA-
CCV CA-
DigiNotar PKIoverheid CA Organisatie - G2-
DigiNotar PKIoverheid CA Overheid en Bedrijven-
DigiNotar Qualified CA-
DigiNotar Root CA-
DigiNotar Root CA Administrative CA-
DigiNotar Root CA G2-
DigiNotar Root CA System CA-
DigiNotar Services 1024 CA-
DigiNotar Services CA-
EASEE-gas CA-
Hypotrust CA-
MinIenM Autonome Apparaten CA - G2-
MinIenM Organisatie CA - G2-
Ministerie van Justitie JEP1 CA-
Nederlandse Orde van Advocaten - Dutch Bar Association-
Orde van Advocaten SubCA Administrative CA-
Orde van Advocaten SubCA System CA-
Renault Nissan Nederland CA-
SNG CA-
TenneT CA 2011-
TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2-
TU Delft CA


For some of these CAs extra security measures were in place (like the CCV CA). This makes it moreunlikely they were misused.

Re:Compromised CAs

[unencode200x]

The timeline:

PUBLIC 13 - Orde van Advocaten SubCA Administrative CA- Orde van Advocaten SubCA System CA- Renault Nissan Nederland CA- SNG CA- Stichting TTP Infos CA- TenneT CA 2011- TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2- TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2- TU Delft CA 5.3 Plain text left in script to generate signatures on roguecertificates5.4 Timeline

06-Jun-2011 Possibly first exploration by the attacker(s)
17-Jun-2011 Servers in the DMZ in control of the attacker(s)
19-Jun-2011 Incident detected by DigiNotar by daily audit procedure 02-Jul-2011 First attempt creating a rogue certificate
10-Jul-2011 The first succeeded rogue certificate (*.Google.com)
20-Jul-2011 Last known succeeded rogue certificate was created
22-Jul-2011 Last outbound traffic to attacker(s) IP (not confirmed)
22-Jul-2011 Start investigation by IT-security firm (not confirmed)
27-Jul-2011 Delivery of security report of IT-security firm
27-Jul-2011 First rogue *.google.com OSCP request
28-Jul-2011 First seen that rogue certificates were verified from Iran
04-Aug-2011 Start massive activity of *.google.com on OCSP responder
27-Aug-2011 First mention of *.google.com certificate in blog
29-Aug-2011 GOVCERT.NL is notified by CERT-BUND
29-Aug-2011 The *.google.com certificate is revoked
30-Aug-2011 Start investigation by Fox-IT
30-Aug-2011 Incident response sensor active
01-Sep-2011 OSCP based on white list

The words "criminal negligence" come to mind.

Re:Compromised CAs

[DrBoumBoum]

Known compromised CAs

FTFY

Dutch security

[SigILL]

I say that as a dutchman. I'm ashamed to be from the same country as these bozos.

Re:Dutch security

[rvw]

I say that as a dutchman. I'm ashamed to be from the same country as these bozos.

Did you read the pastebin? He hacked Diginotar specifically because of Srebrenica 16 years ago. Something else to be ashamed of. And I'm not ashamed about these Diginotar bozos. The Dutch government should be blamed here for trusting them completely. If Fox-it could find all these problems within a week, why didn't the government find out earlier?

It's Ichsun

[GameboyRMH]

The hacker is Ichsun again, better known as "skill of 1000 hackers."

Re:CAs are dinosaurs

[GameboyRMH]

Self-signed certs, distributed verification system. Try it out now:

http://www.networknotary.org/firefox.html

http://www.convergence.io/

Have you been living in a cave?

From the report...

[MtHuurne]

First, here is the actual PDF instead of some web-based PDF viewer surrounded by dubious ads.

The most damning statement from the report (in my opinion) didn't make the summary: "The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN."

I have worked at company that generated encryption keys and they did so on a PC in a locked rack in a locked room with no network connection; such an approach would have prevented this attack.

This fragment from the timeline is also interesting:

19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
02-Jul-2011 First attempt creating a rogue certificate
10-Jul-2011 The first succeeded rogue certificate (*.Google.com)

So an incident was detected three weeks before the first rogue cert was issued.

Re:From the report...

[BLKMGK]

Umm bullshit?

Lets play pretend that this was air gapped\tempested\protected by dogs and this guy managed to insert a request for a cert into their system bypassing any dupe checks and payment crap. It would have been dutifully carried on whatever media they had used a million times before to the "special" machine, a cert created, and the cert sent on it's way to the attacker same as any other.

How does an air gap solve this problem exactly? Doing them by hand and checking their authenticity with a human is a great idea when you do it say once a week. Do it a few thousand(s?) times a DAY and the human validation falls apart. He didn't have to steal the keys to create certs on his OWN machine (nothing I've seen so far says he did), in fact that would have been more worthless, instead he likely got the system to make certs for him just like others. This way when revocation checks were done his cert checked out instead of being 404 and raising flags. That is what appears to have happened to me, air gap doesn't solve this IMO.

Re:From the report...

[BLKMGK]

Okay, read the Fox-it report. The certs serials were apparently NOT in the revocation database. For some assbackwards reason the RFC says when NOT found at all that the server responds "good" but if found and listed as revoked to deny. Wouldn't it make more sense to require all requests to be confirmed in the database? Was this a speed thing putting this into the RFC? The server is now checking and rejecting if not found it seems - it's how they know what certs are dorked....

Re:From the report...

[asdfghjklqwertyuiop]

Wouldn't it make more sense to require all requests to be confirmed in the database?

In what database? The CA's signature on the certificate is supposed to be confirmation that cert is legit.

Re:From the report...

[BLKMGK]

Read the Fox-It report. There's a database for revoked certs that responds to a query. If the cert is rooted at a CA it checks that CA's database it sounds like. If the cert isn't found or is found and marked good the cert passes. So there's no database of all certs from A CA that gets checked from the sounds of it. I guess I can see where a really large database would have issues and just having revoked certs would be enough but in this case it apparently allowed bad certs not officially issued through their system to be marked okay until they changed the behavior... That's the best I can make of it anyway!

Re:From the report...

[asdfghjklqwertyuiop]

Why would any CA publish a database of good certs? That's the whole point of the signature with their private key. The valid signature means "good".

Re:From the report...

[BLKMGK]

Good point - except in this case where the certs weren't supposed to have been created. You're right though, they shouldn't have needed to be able to check them that way. The report does seem to indicate they changed the behavior to catch bad certs though so it sounds as if there were at least some mechanism to look up good certs in the revocation database.

All Messages from ComodoHacker

[eulernet]

Here are the messages from ComodoHacker on pastebin:

http://pastebin.com/u/ComodoHacker

He published a cert for Mozilla in March.

Bacon

[blueg3]

a) No antivirus software was present on Diginotar's servers;

As per the XKCD, if this is a problem, you're already doing it wrong. Antivirus software won't save you against sophisticated attacks, only unsophisticated ones. CAs need to be safer than that.

b) 'the most critical servers' had malicious software infections;

Probably because of (c).

c) The software installed on the public web servers was outdated and not patched;

Seriously, everyone who runs a business should know not to do this.

and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.

Well, that's just stupid.

So (c) and (d) are the real problems, and they're pretty obviously problems.

Well, there's one thing they got right...

[grangerg]

a) No antivirus software was present on Diginotar's servers;

This shouldn't have been listed; it should be considered a good thing. However, considering the rest of the things they did, I doubt they actually knew it was a good idea.

Antivirus software on a production server should be the exception, not the norm; it's just one more attack vector. In the end, it's just a blacklist pattern matcher. If the exploit isn't on the list, it goes right in the front door---and it can't watch all the "doors" either. The AV companies have some really good marketing going on if the FUD has the security experts this paranoid.

Re:Well, there's one thing they got right...

[0123456]

a) No antivirus software was present on Diginotar's servers;

This shouldn't have been listed; it should be considered a good thing.

If they were running antivirus software it would mean they were running Windows on their servers, which would be insane.

Re:Well, there's one thing they got right...

[BLKMGK]

AV products are a little smarter than that now. A little....

Re:Well, there's one thing they got right...

[ais523]

Antivirus software should be the norm on mailservers, regardless of what OS they run. (And it should primarily be set to check for Windows viruses.) It's worth making sure that there aren't known exploits or malware included in the mails that you're forwarding to your users, even if the server itself wouldn't be affected by them.

It's possible to make a plausible argument along these lines for webservers too, although a much less strong one.

SSH does it right.

[grnbrg]

The ssh host key for a server is generated automatically by the ssh daemon the first time it runs.

The first time a user connects to that server, they get a fingerprint they can check, and a "This is the first time you've connected to this host, are you sure it's the right one?". Subsequent connections are silent, unless the host key changes. You get a big, scary message if a host you've allowed in the past changes it's key. (As this signals a potential MITM attack.)

SSL certs should be handled the same way by the browser. If you tell the browser you trust CAs, then a new certificate can be automatically approved. Self-signed certs (or all certs if you opt to not trust CAs) get a quiet "Oh, this is a new server. No big deal. Are you sure it's legit?" message. If any cert changes before its expiry date, shout dire warnings. (If a cert changes, but the stored fingerprint has an expiry date that is passed, tell the user in a non-threatening way that they need to be sure of their destination.)

In nearly all cases, the question of who made a certificate is not of any real use to the end-user. All they need to know is that the server they connected to yesterday (their bank, Facebook, GMail, or whoever) is the same server they tried to connect to yesterday.

Re:SSH does it right.

[grnbrg]

Dammit.

".... is the same server they're trying to connect to today."

Re:SSH does it right.

There's an add-on for Firefox called Certificate Patrol which does precisely that - it even shows you the diff between the old and new certificate. Alas, it still requires constant vigilance - Joe Random User will click through any warning, no matter how scary, if promised scantily clad dancing bunnies.

Re:SSH does it right.

[vadim_t]

If you're using SSH that way, you're donig it horribly wrong.

SSH's security comes from you verifying the key. In a CA system you delegate that responsibility to somebody else, but with SSH that responsibility falls squarely on you, and the security of the system depends on you doing the checking properly.

When using SSH correctly what you do is to obtain the system's fingerprint by yourself, or from whoever allows you access to their server over a secure channel, connect, and verify that it matches. Only then can you be sure everything is secure.

To be really, really sure that no MITM is going on with SSH you have to obtain over a channel that doesn't allow it to happen, such as from the local console. Learning fingerprints from email or IM conversations isn't guaranteed to be safe.

Ignoring the fingerprint and hoping that you weren't a victim of MITM the first time you tried connect is very, very wrong. There are plenty scenarios where that is trivial to exploit, such as with a malicious open wifi network.

Re:SSH does it right.

[firewrought]

In nearly all cases, the question of who made a certificate is not of any real use to the end-user. All they need to know is that the server they connected to yesterday (their bank, Facebook, GMail, or whoever) is the same server they tried to connect to yesterday.

While I believe Schiener made a similar argument, the problem is that I really do want to know that the server I'm talking to is owned by the entity I think I'm talking to. Maybe it doesn't matter for a site like slashdot, but it sure as heck matters for my bank, gmail, etc. This necessitates some sort of PKI or web-of-trust model.

Re:SSH does it right.

[rvw]

There's an add-on for Firefox called Certificate Patrol which does precisely that - it even shows you the diff between the old and new certificate. Alas, it still requires constant vigilance - Joe Random User will click through any warning, no matter how scary, if promised scantily clad dancing bunnies.

Thank you for this tip! Very useful in getting a little bit more grip on the whole situation.

Re:SSH does it right.

[KiloByte]

Or, better, require that the new cert is signed by the just expired key, and if not, raise the dire warning.

Re:SSH does it right.

[TheCarp]

I run it too...

I noticed recently that facebook changed its certs a couple of times. Aside from that, it still has the same problem that all other certs have... yes they are valid certs, signed by some "valid CA" (according to the built in CA list)... yes, I know now...and I can be "curious" or "concerned' but there is little else I can do.

If it were my friend or colleague's server, I could call him up to verify... um... but to do that for most sites is hard... facebook?

You are right

[whoda]

It's the same as equivalent resistance of resistors in parallel, slightly weaker than the weakest link.

Re:You are right

[arglebargle_xiv]

It's the same as equivalent resistance of resistors in parallel, slightly weaker than the weakest link.

It's actually the same as metaphors in parallel, only as nebulous as the most stretched metaphor.

And I am not buying it

[iamhere]

It's not really likely that this person did the 'hacking' on his own. The certificates somehow found their way into the Iranian backbone networks and I do no believe that they got there by the actions of one person, nor do I believe that they could get there without the backing of the Iranian government (or some cabal within it). The message on pastebin is clearly formatted to make some people believe in a ' lonely superhacker', but I am not buying that line. For one the first sentence ends on 'us'.

Re:And I am not buying it

[Errol+backfiring]

Why not? It seems that you can hire entire botnets including hacking software of your choice. So a brute-force attack is hardly anything you need to make your hands dirty on. The hardest part is finding a vendor without attracting attention.

Apart from that, I find it hard to believe that a malicious hacker would step out into the open. And an ethical hacker would have gone public very soon after the hack.

Re:And I am not buying it

[iamhere]

The reason this 'statement of the hacker' is put on the internet is to try and present an image to the public of some rogue individual being behind this. However I feel they overdid the l33t hacker stuff making it a bit preposterous. Then they add in a reference to Srebrenica to make it seem this 'individual' had a valid motive for attacking a Dutch company. From the circumstances of where the certificates appeared it is however clear that the problems in the Netherlands are just collateral damage while the real targets live in Iran and no motive for the Netherlands is necessary.

I do believe that there are not many people necessary for this act of cyber war, and that there are some young individuals involved that started out as just individual hackers for the love of it but the way the rogue certificates have shown up clearly demonstrates to all the involvement of the Iranian government (or some subset thereof). The Iranian governement has powerful motives and means to commit this act. Also the deeply invasive Stuxnet act of war perpetrated against them will make them by and large oblivious to some Dutch people being duped in the course of their actions.

There is a nice echo to this from the Stuxnet affair. After that was found out there were also many bogus claims being circulated on the Internet of other countries like China or Russia to be the real target, no doubt instigated in part by Isreali and American intelligence agencies. And we all know what kind of FUD that turned out to be.

Stuxnet and this CA certificate hacking also demonstrate the internet has entered a new age of being really entwined in politics, commerce and war in all its facets.

The irony...

[rainer_d]

...of an ad selling "high assurance ssl certificates" on the top of this page is hardly beatable.

"High assurance" now just means "not p0wned, yet".

Re:The irony...

[cbiltcliffe]

...of an ad selling "high assurance ssl certificates" on the top of this page is hardly beatable.

"High assurance" now just means "not p0wned, yet, that we know of".

There, FTFY.

Then start your own private CA

[tepples]

I really am not concerned with MITM attacks on my own LAN, and in the VPN network.

I agree with Anonymous Coward: start your own private certificate authority and install its root certificate on PCs on your LAN and PCs that connect to your VPN.

MITM from day one

[tepples]

If I connect to a site with a SS cert, I get a warning about it, and whitelist that cert. If I come back some other time, and there is a new self signed cert, I get the warning again.

And if there was already a man in the middle on the first day you visited the site, you're screwed. There is the Perspectives project, which uses network route diversity to detect a man in the middle, but it doesn't work so well if the man in the middle is situated between the server with the self-signed cert and its upstream Internet connection, such as a server behind a country's firewall.

Re:And Yet

[mla_anderson]

The admin's point of view should be that there will always be barbarians at the gates, it's his job to keep them out. In this case the admin instead put up a big bright neon welcome sign. It is this gross negligence which so over shadows the hacker's criminal activities that causes outrage here. This is part of the way we self police, or at least educate. In the non-tech inclined world the perceived level of responsibility will be switched.

Re:And Yet

[SmurfButcher+Bob]

Because "the hacker" is inevitable. Period.

If you run into the center lane of a 70mph freeway and get hit by a truck, you do NOT blame the truck. If you jump off a building and hit the ground, you do NOT blame the ground. They are always there, and their existence must be expected.

What's the big difference?

[TheLink]

But how do you know whether the first, second, third, fourth, Xth CA signed cert you got is a good one?

What if the CA signed cert you got was actually created by the hacker? By default most browsers won't warn you, as long as the cert is signed by ANY of the dozens of CAs accepted by your browser[1] (I personally use Certificate Patrol so I am more likely to be warned in such situations - cert changed CA and changed way before expiry).

Seems a worse situation than the self-signed cert - where you can choose not to do any security sensitive stuff till you confirm that the self-signed cert doesn't change over time and over different ISP connections (and your email to the bank gets an appropriate response). If the hacker has MITM'ed the bank's internet connection and nobody (including the bank and their customers) has noticed even after a few days or a week, then it might not make a big difference - the hacker probably has pwned the bank in other ways.

Even with a CA signed cert I still had to email my bank to confirm it, because the cert changed from a single host cert to a multiple host cert for multiple countries, signed by a different CA (remember: most browsers by default would not warn you in such a situation). Are you so confident that it would still be OK to login and do transactions in that situation?

So what's the big difference in security? If you talk about "normal users" there's no difference. Normal users can get pwned just because the hacker gives the bank the user's mother's maiden name as the "security answer" or other corporate idiocy. Or they'll get pwned because they got phished. Or they'll get pwned because they won't know that the valid CA signed cert is actually invalid.

If you talk about people who actually care and know about security, there is no real difference either - because they will still have to do extra checks.

[1] Firefox recognizes many dozens of CAs. Windows/IE recognizes any CA that has their cert signed by Microsoft or other appropriate installed CA, so even if the CA cert isn't listed at first, it will automatically get added (try deleting a CA root cert and watch it get readded when you visit their site using IE via https). Google Chrome on Windows by default recognizes any CA that IE recognizes (good luck ;) ).

Re:What's the big difference?

[vadim_t]

CAs are generally safer because browser vendors require passing an audit to be included. And like in this case, they will remove the certs for CAs that fail to perform properly.

If you were using self-signed certs in Iran, all they'd need to do is to do MITM at the ISP level, and you'd never, ever notice without an alternative non-Iran-controlled connection. They could simply take the site's cert, generate a new one on the fly with the same data, present it to you, and make sure to use the same cert the next time you access.

With a CA you at least have some protection so long the CAs aren't compromised. In fact in such a situation, a CA outside of the control of your enemies might be your best bet of remaining secure. Self-signed certs are entirely hopeless though.

Re:What's the big difference?

[TheLink]

In fact in such a situation, a CA outside of the control of your enemies might be your best bet of remaining secure

WRONG! Because most browsers don't warn you if _ANY_ CA (recognized by your browser) in the control of your enemies signs the site's certs. It just takes ONE out of the dozens, does not matter which CA! Recent versions of Google Chrome warn you but only for google's stuff (certificate pinning: http://www.imperialviolet.org/2011/05/04/pinning.html ).

Whereas if you can get the fingerprint of the self-signed cert from some other channel (e.g. get a friend outside the country to tell you), you will know if it is different from expected.

If it is always different from expected, you know you just can't use the site or ISP (which will be the same problem for the CA cert case).

Whereas if the fingerprint is correct you can use the site while it is OK, because most browsers by default will warn you the very moment the self signed cert changes. This is not true for the pwned CA signed cert situation (assuming default browser behaviour).

In contrast, even if you took the trouble to verify the CA signed cert fingerprint via a friend, it does not help - the cert could change later but the browser will NOT warn you!

So tell me again which situation is safer?

Re:What's the big difference?

[vadim_t]

The secure way of doing things with a CA:

Alice works at Yoyodyne, Inc. She has to make a business trip to Iran/China/your favourite not very trustable country.

Bob the Yoyodyne sysadmin generates a CA cert, gives it to Alice with a fingerprint.

Alice flies to Iran and uses Bob's CA cert to validate the cert on yoyodyne.com. Cert expires? No problem, Bob can make a new one and Alice will be able to trust it.

Company starts a new project that requires a second cert? No problem either, Bob signs the cert with the CA key and Alice can trust it.

Company starts a partnership with Acme? Bob generates a S/MIME certificate, attaches Acme's cert, signs the whole thing with his S/MIME cert, and Alice can trust the result.

Server gets compromised? Bob revokes the certificate and OCSP quickly makes it so that everybody finds out as fast as possible.

By just setting up the CA before hand a whole lot of problems is avoided. Alice doesn't need to wake Bob up at 3 AM to ask what's the fingerprint for the new cert. Bob can create new certs without having to do complex coordination with hundreds of workers around the world. People don't need to spend time slowly spelling out fingerprints over a noisy phone connection.

The CA system itself is secure, scalable and sound, what is not sound is that instead of having one CA the user really trusts they have a hundred certs from who knows where. But there's no reason why the user can't wipe the browser's cert list and use only their company's CA, or use a plugin like you mention.

The fingerprint system by comparison doesn't scale. People go on vacation, live in different timezones, have difficulty understanding what's this fingerprint stuff and how to check it... if you try to check fingerprints manually for 500 employees it'll be complete madness and most of those will get fed up, say "screw it" and just click OK on whatever cert comes up. And as a result you'll be much less secure.

Re:What's the big difference?

[Junta]

So tell me again which situation is safer?

If you are the sort to meticulously peruse fingerprints and seek manual confirmation via phone of fingerprint validity, the 'out of the box' behavior of manual key approval that SSH does *might* be 'safer' compared to *default* browser behavior.

If you are the sort to blindly accept the fingerprint on first connection (99.9% of the population), the CA system has better odds of blocking a MITM than your individual efforts. If dealing with servers that frequently change or round-robin shell access, some develop a habit of auto-deleting lines from known_hosts on conflict. Finally, if you are a site operator and *know* you'd scare away the vast majority of your users if you change your private key, the end-users are more likely to be put at risk due to site operator retaining a possibly compromised key (they know it had wrong permissions for a couple of weeks, but don't know for sure someone read it, they may elect to carry on with the dubious key whereas in x509 case they may re-do their cert just in case, as the end-user is not negatively impacted).

The good news is that if you so demanded, extensions/browsers can be implemented to pretend CAs don't exist and render the whole x509==SSH if you really wanted, while the rest of the oblivious world carries on with CAs with a common certificate infrastructure serving both needs.

Re:What's the big difference?

[TheLink]

Alice works at Yoyodyne, Inc. She has to make a business trip to Iran/China/your favourite not very trustable country.
Bob the Yoyodyne sysadmin generates a CA cert, gives it to Alice with a fingerprint.

But Alice still does not get warned when a pwned "Diginotar" or "RandomCA" signs yoyodyne.com for the spooks in Iran/China.

Isn't the whole point of all the "security" is so that Alice gets a warning against MITM attacks when she goes to such "hostile" places? Otherwise what's the point? So that Bob and Alice feel good about it?

It's not a hypothetical attack as the diginotar and comodo cases have shown.

If you delete all other CAs you're in effect making Alice have the "self-signed" cert experience. You're ending up with something that's very like a pure "self-signed" environment (the yoyodyne CA might as well be self-signed). In which case you should now realize that with the current browsers the real-world CA system is not more secure than self-signed ;).

Yes you can use a plugin like I do, but I was talking about the default browser scenario.

Because everyone is going "OH NOES SELF-SIGNED IS INSECURE!" when the truth is there's no real difference in practice.

Except the CA method just makes more people feel good (albeit usually for $$$).

Re:What's the big difference?

[TheLink]

For most people, the CA thingy doesn't save them. Since:
1) When they get MITM'ed they still won't notice because some hacker pwned yet another "Diginotar", or the Gov made a CA sign stuff for them (or because they are ignorant and clickthrough ;) ).
2) Half of them get phished/trojaned anyway ;).

Call me cynical but all this CA stuff just seems to be about money and not about security.

Because the browser bunch could have made their browsers warn users if the CA changes or the server cert changes way too early. But after so many years from the first complaint/bug report (sorry I'm not going to dig the report out) only Google has this year done something about it - certificate pinning (and so far only for their own stuff).

So we have to resort to 3rd party stuff like Certificate Patrol to protect ourselves from the crappy state of things.

Things could actually be better, but it's all about money - the EV bullshit is bullshit (go find the CA with the least rigorous EV validation, and voila). Certs expiring after 1 year cause more problems than they solve.

Re:What's the big difference?

[vadim_t]

If you delete all other CAs you're in effect making Alice have the "self-signed" cert experience. You're ending up with something that's very like a pure "self-signed" environment

Nope. There is a very, very crucial difference: With a CA, Alice delegates security to Bob. Without a CA, manually checking fingerprints, security squarely depends on Alice and requires a number of inconvenient operations to really make it be secure.

Like I said, the CA also allows reducing the importance of timing and scales much better.

And I found that convenience is a very crucial aspect to things like security and backups. If staying secure means you have to reach some guy in another country at 3AM, or if making backups requires a list of magic
incantations to be performed before hand, eventually you'll say "screw it" and ignore the whole thing.

(the yoyodyne CA might as well be self-signed). In which case you should now realize that with the current browsers the real-world CA system is not more secure than self-signed ;).

The CA is self-signed of course, as all CAs are if you look at the certs. The chain has to start somewhere, or you have an "turtles all the way down" sort of problem.

Because everyone is going "OH NOES SELF-SIGNED IS INSECURE!" when the truth is there's no real difference in practice.

There is plenty, you just haven't tried it.

Except the CA method just makes more people feel good (albeit usually for $$$).

What $$$? Bob can generate the CA cert entirely for free, with the tools that come with OpenSSL for instance. It's still a CA based scheme though. For internal usage like Alice's, there's absolutely no need to pay any cert authority, you just run your own.

Re:What's the big difference?

[arglebargle_xiv]

Firefox recognizes many dozens of CAs.

Firefox and IE directly recognise around six hundred and fifty CAs and they in turn have an unknown number of unknown sub-CAs. In other words the browsers happily accept certs signed quite literally by almost anyone and anything.

Re:What's the big difference?

[arglebargle_xiv]

CAs are generally safer because browser vendors require passing an audit to be included.

Diginotar passed multiple audits. Most of the several thousand mostly-unknown CAs (see my previous post) that browsers will accept a cert from have never had to pass any audit. In fact we don't even know who they are.

And like in this case, they will remove the certs for CAs that fail to perform properly.

This case is exceptional because it's the first time a CA has ever been removed for being negligent. Any other time in the past the CAs were regarded as too big to fail. In fact it was only the fact that it had issued an insignificant number of certs (around 700) that allowed it to be removed. They left Comodo in there earlier this year because it was too big to fail.

(Kinda scary how many misconceptions there are around this. As Matt Blaze said a decade ago, "a CA will protect you from anyone whose money it refuses to take", although Diginotar has shown that it won't even do that).

Re:What's the big difference?

[TheLink]

If you delete all the other CAs when Alice goes to gmail, ebay, amazon etc she will get the self signed experience.

If you don't delete the other CAs, it just takes the pwning of one of them to MITM Alice.

So are you really proposing that users delete all CAs except for one CA? Which CA or CAs should they keep? None = self signed.

The CAs and browser makers priorities sure have made things rather crap right? ;)

Re:What's the big difference?

[vadim_t]

If you delete all the other CAs when Alice goes to gmail, ebay, amazon etc she will get the self signed experience.

Which means that she can't really trust any of them, and should just not use them. Since we're talking about a company she'd solve that problem by using her own company's mail server instead of gmail.

If you don't delete the other CAs, it just takes the pwning of one of them to MITM Alice.

Yep, but without them the pwning is pretty much guaranteed if anybody at all is trying. Just how do you plan to verify the security of the gmail.com SSL cert from Iran?

For something like a bank, I guess the bank could give you a fingerprint when you open the account (maybe print it on the credit card), or have it etched on the building or something. But for gmail? Just who are you going to call at Google to ask about what the fingerprint is, and how would you know it's Google who you reached?

So are you really proposing that users delete all CAs except for one CA? Which CA or CAs should they keep? None = self signed.

For the scenario I'm describing, their own company's internal one, which isn't any of those your browser includes.

Re:What's the big difference?

[Junta]

1) If the OS/browser vendor does their job, the window for vulnerability should be at least somewhat limited. It may be slower than a security-aware user would achieve on their own, but it will be faster than most people's reaction on their own.
2) ok, that may be the truth, but there is something to be said for vendors making 'best effort' to help users only suffer when indulging in *extreme* negligence

Browsers are reluctant to warn on CA change because it could be a legitimate change. Sure, changing before expiry is suspicious, but all sorts of business reasons could come into play (including a vindictive CA threatening your cert with removal from OSCP or adding to CRLs). google could do something about it because they are their own CA and they *know* they won't be using anything but themselves.

Things like certificate patrol or web of trust augmentation to existing CA system makes a lot of sense, let the process work as intended, but audit the behavior.

Re:What's the big difference?

[qubezz]

The government needs to look into this "Alice" and "Bob", they seem to be exchanging a lot of secrets!

Re:And Yet

[umghhh]

Not entirely true - just read all the posts - still there seems to be a consensus that an organisation that is charged with ensuring security has certain responsibility and while we know it is impossible to guarantee that such things never happen you could do something at least and the admins in this authority did not do much which means they are at least partially to blame.

Route diversity

[tepples]

Learning fingerprints from email or IM conversations isn't guaranteed to be safe.

Nothing is guaranteed to be safe under this system of things. But typically, e-mail, IM, microblog, and the SSH connection itself will follow different network paths, and a man in the middle is unlikely to have compromised all at the same time. This is the principle of route diversity, the same thing the Perspectives add-on uses to check HTTPS certificates against notaries spread throughout the Internet.

Re:Route diversity

[vadim_t]

That assumes a mostly secure system where an attacker managed to sneak in for a short time.

That assumption doesn't apply in places like Iran, where such shenanigans may well be organized by the government itself and happen at ISP level, for every single internet user in the country. Then all the network paths you have go through the attacker.

Sure, their transparent proxy might not be catching fingerprints in IMs today, but if that gets popular enough you can be sure it eventually will be upgraded to do that.

Re:CAs are dinosaurs

[mfwitten]

It seems to me that by using multiple signatories, you are approaching a distributed model. I think it would be worthwhile to put some thought into a system that would take this to the limit: Allow anyone and everyone to become a source of trust according to the configurations of anyone and everyone else; why should it be the case that other people get to decide for me what what the core of my web of trust looks like? I don't trust Diginotar or any other weirdly named Web 2.0 company; I trust my fanatical, principled, OSS friends.

Re:WTF?

[Randseed]

My comments were wrong. You (and other posters) have a good point. Specifically Ledow, and one random anonymous coward. However, I do disagree with the latter on the idea that people wouldn't have been clicking OK on random certificates: People are sheep, and, well, they DO.

'0wn' is the wrong word usage.

[unity100]

Correct wordage is 'pwn'.

The difference between CACert and DigiNotar

[frehe]

I love this comment from Mozilla's Nelson Bolyard in that thread:

I have no opinion about the worthyness of the particular CA being proposed in this bug. I don't know who it is yet. But my question would be:

Does webtrust "attest" to this CA?

I think that should be one of the criteria. PKI is about TRUST. All root CAs that are trusted for (say) SSL service are trusted EQUALLY for that service. If we let a single CA into mozilla's list of trusted CAs, and they do something that betrays the publics' trust, then there is a VERY REAL RISH that the public will lose ALL FAITH in the "security" (the lock icon) in mozilla and its derivatives.

We don't want that to happen. If that happens, mozilla's PKI becomes nothing more than a joke. If you want to see mozilla's PKI continue to be taken seriously, you will oppose allowing unattested CAs into mozilla's list of trusted root CAs.

Re:The difference between CACert and DigiNotar

[bill_mcgonigle]

That raises an interesting question - now that a CA has faltered, has Mozilla's lock icon lost all respect by the public?

If not, the rationale for excluding CA Cert no longer stands, even accepting the false premise that they'd be less secure than a for-profit CA.

Curious

[Zamphatta]

Does/Did SONY own Diginotar?

Re:Curious

[Legion303]

If Sony had owned them the password wouldn't have been "Pr0d@dm1n". It would have been "4".

Microsoft Revoked DigiNotar

[unencode200x]

I had missed it (removed manually) but it looks like MS is doing the responsible thing: http://www.microsoft.com/technet/security/advisory/2607712.mspx

Another "Rogue CA" story ...

[RockDoctor]

... another half-dozen CAs deleted from my firefox installation (on Work's Windoze machine ; my own Linux box doesn't have a network connection so I've not bothered there. But then it's 2 weeks since I last turned it on either.)

Sky hasn't fallen. Yet. I suspect that I'll be trimming the list of trusted CAs on my own machine very drastically before I next connect it to the web.

not a script kiddy in this case

[rocket+rancher]

The guy who took down diginotar was apparently the same guy who took down Comodo. If so, he's probably working on behalf of Iran's VEVAK. Ars Technica has a post up about it; here's the bit I found interesting:

Among these are [fraudulent] certificates for *.*.com and *.*.org, which would allow someone in possession of the certificates to perform man-in-the-middle attacks for almost any site with a .com or .org domain—a far wider problem than initially assumed. The Tor Project has also discovered some unusual text in one of the certificates. It contains a number of phrases written in Farsi, which translate as "great cracker," "I will crack all encryption," and "I hate/break your head." This alludes to ComodoHacker's statement about the Comodo hack, in which he claimed to be able to break strong encryption. There's also increasing evidence that the certificates were used widely within Iran. Trend Micro's Smart Protection Network collects many kinds of data, including domain name lookups. Over the past few weeks, the number of Iranian systems looking up DigiNotar's validation.diginotar.nl domain was far higher than normal, until it abruptly dropped on August 30th. This activity implies that with large numbers of Iranian machines were performing revocation checks on the bogus DigiNotar certificates during July and August. The abrupt stop in turn implies that traffic to validation.diginotar.nl has now been blocked within Iran. This suggests that the number of man-in-the-middle attacks performed against Iranians was substantial, and that the attacks occurred over many weeks, making secure communication insecure for all those within Iran. After the Comodo hack, ComodoHacker made clear that he was deliberately acting to thwart anti-government dissidents within Iran. In spite of his criticism of the Dutch, the true target remains the Iranian people.

Underfunded IT

[Synerg1y]

Sounds like...

1. no security team presence, probably 1 guy who realized the overwhelming of his situation and just gave up and only shows up to work to collect $. Textbook start of a hacking story.

2. No security audits... what internet based company ever needs those... I've never known a security professional who leaves critical malware/spyware on a machine after they are finished, the malware's stealthy, but NOT that stealthy.

3. Poor corporate leadership... nobody was concerned about it, just raking in the $ and the christmas bonus.

Ladies and gentlemen I present you with every single IT shop that is not government or forture 500 based.

The thing is... IT cost money, usually a lot, there is no visible ROI, IT people are not sales people, and typically don't pitch system enhancements cause they'd rather ask for a raise (basic human nature). If you were the CEO, it's a seemingly easy choice, until your on the news for the wrong reasons and goodbye PR. Still most CEOs skate on air when it comes to securing their sh*t.