Hackers may have stolen over 200 SSL certificates

Source say DigiNotar breach generated fraudulent certs for Mozilla, Yahoo and Tor, not just Google

1 2 Page 2
Page 2 of 2

Like Wisniewski, Schouwenberg also criticized DigiNotar's response. "It seems that DigiNotar has not realized certificate authorities need to sell trust above anything else," Schouwenberg said.

Schouwenberg repeated his earlier assertion that the DigiNotar hack was most likely the work of a government, either directly or through proxies it hired or supported.

"Assuming these domains [Mozilla's, Yahoo's and the Tor Project's] were indeed targeted, the most plausible explanation is that a specific government is behind this attack," Schouwenberg argued.

In that scenario, a government -- perhaps Iran's -- would use the bogus certificates to deceive users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.

On Monday, Google pointed a finger at Iran, saying that attacks using the ill-gotten google.com certificate had primarily targeted Iranian users.

Some browser makers have reacted quickly to block the use of all DigiNotar certificates.

Late Tuesday, Mozilla shipped updates for Firefox 6 and Firefox 3.6 that added DigiNotar's root certificate to those browsers' blacklists. Google has updated Chrome 13 and Chrome 14 -- the latter currently in beta testing -- to do the same.

Meanwhile, Microsoft has nuked all DigiNotar certificates by adding the Dutch company's root to its list of banned certificates in Windows Vista, Windows 7, Server 2008 and Server 2008 R2.

Users running Windows XP or Server 2003, however, remain at risk: Microsoft said it would address those editions with a "future update" but did not set a timetable.

"There is a whole list of fail here," said Wisniewski about the hack and DigiNotar's response. "A [certificate authority's] obligation is to step up and disclose problems like this, or trust just goes out the window."

Van de Looy hoped that DigiNotar would eventually come clean.

"Currently, investigators of [the] renowned company Fox-IT are investigating the servers of DigiNotar and their report will hopefully reveal additional information on the how, when and what of this significant event," said Van de Looy.

DigiNotar has retained Fox-IT, a Dutch digital forensics firm, to audit its systems and investigate the July hack.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon