Hackers’ SSL Haul Larger than Reported

Friday, September 2, 2011 @ 12:09 PM gHale


At first it didn’t seem like a big haul, as DigiNotar said several dozen digital certificates were lost at the hands of hackers. After one look, the digital thieves made off with well over 200 certificates. Now it appears it is over 500.

“About 200 certificates were generated by the attackers,” said Hans Van de Looy, principal security consultant and founder of Madison Gurka, a Dutch security company, after first looking at the incident.

RELATED STORIES
Browsers Update to Fend Off Attacks
Certificate Authority Breached; Sites Suffer
Breach: More SCADA System Holes
Compliance Does Not Mean Secure

Among the certificates acquired by the attackers in a mid-July hack of the Dutch company DigiNotar were ones valid for mozilla.com, yahoo.com and torproject.org.

Tor is a system that lets people connect to the Web anonymously, and sees use in countries where governments monitor their citizens’ online activities.

Mozilla confirmed attackers got a hold of a certificate for its add-on site.

“DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,” said Johnathan Nightingale, director of Firefox development, in a statement today.

Looy’s number is similar to the tally of certificates that Google has blacklisted in Chrome.

An entry in the Chromium bug-tracking database lists 247 certificates the project blacklisted. Chromium is the open-source project that feeds code to the Chrome browser and Chrome OS.

“Were these all issued by DigiNotar? It is difficult to tell,” said Chet Wisniewski, a security researcher with U.K.-based Sophos, in a blog post. “However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident.”

DigiNotar, purchased by U.S.-based Vasco earlier this year, discovered the network breach July 19, and has confirmed intruders issued themselves valid certificates for a number of domains.

The company said it revoked all the fraudulent certificates, but then realized it overlooked one that could impersonate any Google service, including Gmail. DigiNotar admitted the mistake after users reported their findings to Google last week.



Leave a Reply

You must be logged in to post a comment.