Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project, a security researcher reported today.
The count is considerably higher than DigiNotar has acknowledged. Earlier this week, a company spokesman said that "several dozen" certificates had been acquired by the attackers.
"About 200 certificates were generated by the attackers," said Hans Van de Looy, principal security consultant and founder of Madison Gurka, a Dutch security company, citing a source he said wished to remain confidential.
Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, Van de Looy's source said, were ones valid for mozilla.com, yahoo.com and torproject.org.
Tor is a system that lets people connect to the Web anonymously, and is often used in countries where governments monitor their citizens' online activities.
Mozilla confirmed that a certificate for its add-on site had been obtained by the DigiNotar attackers. "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," said Johnathan Nightingale, director of Firefox development, in a statement today.
Looy's number is similar to the tally of certificates that Google has blacklisted in Chrome.
An entry in the Chromium bug-tracking database lists 247 certificates that the project blacklisted yesterday. Chromium is the open-source project that feeds code to the Chrome browser and Chrome OS.
"Were these all issued by DigiNotar? It is difficult to tell," said Chet Wisniewski, a security researcher with U.K.-based Sophos, in a blog post Tuesday. "However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident."
DigiNotar, a Dutch firm that was acquired by U.S.-based Vasco earlier this year, discovered the network breach on July 19, and has confirmed intruders issued themselves valid certificates for a number of domains.
The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public with its mea culpa only after users reported their findings to Google last week.
Security researchers now wonder what else DigiNotar hasn't told users.
"They say they found all but the [certificate for] google.com," said Wisniewski in an interview Tuesday. "But what other sites were we at risk from visiting earlier? Were those other certificates for Microsoft or Yahoo or PayPal? How come they're not saying?"
Wisniewski was concerned because of the timeline that DigiNotar laid out.
DigiNotar essentially admitted that it was unaware of the hack for over a week: The Google certificate was issued July 10, according to information posted to Pastebin.com last Saturday, nine days before DigiNotar said it became aware of the attack.
"For nine days they didn't know about it," said Wisniewski. "Then how long did it take them to revoke those they knew about?"
Wisniewski said DigiNotar had revoked multiple certificates on July 19, July 26 and Aug. 16, all dates that were prior to the Dutch firm acknowledging the attack.
"We should be very concerned about this. When this kind of thing happens, the sweeping under the rug is almost an abuse of the entire system of trust," said Wisniewski, referring to the SSL (secure socket layer) certificate model.
Roel Schouwenberg, a senior malware researcher at Moscow-based Kaspersky Lab, also took DigiNotar to the woodshed.
"According to DigiNotar, they're not able to track which rogue certificates were generated," said Schouwenberg in a Wednesday blog. "So more of these rogue certificates may be out there. How is this possible? Either DigiNotar performs no logging of the certificates they create or their logs got cleaned out during the attack."