Certificate Authority Breached; Sites Suffer

Thursday, September 1, 2011 @ 03:09 PM gHale

A Dutch Certificate Authority (CA) suffered a hack attack and web sites now face security breaches.

DigiNotar, issues SSL (Secure Sockets Layer) and EVSSL (Extended Validation) certificates, which Web browsers validate to ensure people are not visiting a fake website that is trying to appear legitimate.

Breach: More SCADA System Holes
Compliance Does Not Mean Secure
ICS, SCADA Security Boot Camp
SCADA Hacking via Search Engines

DigiNotar sells these digital certificates to legitimate website owners. But DigiNotar issued a digital certificate for the google.com domain, a mistake that could allow a skilled attacker to intercept someone’s email.

Google said the fraudulent certificate targeted users in Iran, although a security feature in its Chrome browser detected the certificate, tipping off users with a warning.

DigiNotar, a subsidiary of a security company called Vasco Data Security International, issued a statement saying it discovered on July 19 during an audit its infrastructure that issues the certificates suffered a breach.

Attackers created fraudulent certificates for “several dozen” websites, but most were revoked after their discovery, said Jochem Binst, corporate communications director for Vasco. The company at first reported several dozen, now the number could go over 500.

But the digital certificate for google.com — issued July 10 — only went live Sunday, Binst said. In its statement, Vasco said the Dutch Computer Emergency Response Team notified them the certificate was still live. They finally revoked it Monday this week, Binst said.

Officials still don’t know how attackers breached DigiNotar’s certificate-issuing infrastructure or how long they had access, but an audit is under way.

“We are in the course of doing an extra audit and those findings will probably be known by the end of the week,” Binst said.

DigiNotar is halting sales of digital certificates as it investigates, Binst said. DigiNotar primarily sells its digital certificates to businesses in the Netherlands.

Those businesses will have a hard time over the next few days. Google, Mozilla and Microsoft have revoked or are in the process of revoking DigiNotar’s authority to vouch for its certificates. That means people who go to websites using those certificates will likely see a warning saying the website is untrusted and they should not access it.

Binst said DigiNotar is contacting its customers. One option to fix the problem is to have those websites switch over certificates issued by the Dutch government, although he could not say which agency would issue those replacement certificates. Another option, Binst said, is to approach the browser makers to make technical changes to honor its certificates.

Binst could not say how many customers DigiNotar has for its digital certificates, but Vasco said in its statement that the subsidiary’s revenue from issuing digital certificates was less than $144,000 for the first six months this year.

Leave a Reply

You must be logged in to post a comment.