DigiNotar’s SSL certificate leak seems to be worse than first thought and trust once broken may never be mended, says Eric Doyle
What can you trust if you can’t trust your Secure Sockets Layer (SSL) certificates vendor?
It appears that certificates “issued” by Dutch company DigiNotar extend way beyond the fake Google certificate that was reported recently. It now appears that its certificates in the names of the CIA, MI6, Google, Facebook, Twitter, Microsoft, Skype, Mozilla, Yahoo, Tor, WordPress, Mossad, AOL and LogMeIn are no longer trustworthy and DigiNotar has been removed from many of the browser brands’ lists of trusted authorities.
What is even more worrying is that root certificates were issued with *.*.com and *.*.org designations. There seems to be some confusion whether these “double wildcard” certificates are valid but if they are then no DigiNotar-protected .com or .org sites could be trusted.
Remedial action under way
Microsoft, Google and Mozilla have already begun invalidating all DigiNotar certificates through their Web browsers but Apple is lagging behind – although this is difficult to ascertain as Apple tends to be relatively secretive about what happens in Safari. There is a workaround for anyone worried about this at the PS Enable Website.
SSL certificates are the only proof that you are talking to a bona fide entity on the Internet. If you make a connection with a Web site and HTTPS appears in the URL, you’re definitely securely connected to the real banking, shopping, or registration site and all is well. The browser often shows a tiny closed padlock so you’re doubly sure that nobody else can eavesdrop on the information.
That’s been the theory but the practice is becoming less and less trustworthy. The number of certificates stolen is said to number 531. This may include intermediate signing certificates. This means that authority can be assigned to intermediaries to sign and validate certificates on DigiNotar’s behalf. Attackers reportedly signed 186 certificates that could have been intermediates passed off as well-known certificate authorities like Thawte, Verisign, Comodo and Equifax.
DigiNotar is the latest SSL Certification Authority (CA) to find itself a target of hackers and the loser of precious certificates. The hack came to light when an Iranian user of Google Gmail posted about a certificate warning that had popped up in Google’s Chrome Web browser. This mentioned a “revoked certificate” for SSL-based Google services.
This led to the revelation that the breach had allowed a *.google.com certificate to be issued. The wildcard asterisk could be replaced with any google.com subsite and these fake certificates have been around for at least a month.
A month of activity
The fake certificate was issued on 10 July. DigiNotar claims to have discovered this on 19 July. The Iranian Gmail post appeared on 28 August and Vasco Data Security International, owners of DigiNotar, issued a press release on 30 August.
The Vasco release does not give details of the incident but tries to minimise the damage by saying: “The attack was targeted solely at DigiNotar’s Certificate Authority infrastructure for issuing SSL and EVSSL [extended validation SSL] certificates. No other certificate types were issued or compromised. DigiNotar stresses the fact that the vast majority of its business, including its Dutch government business (PKIOverheid), was completely unaffected by the attack.”
That this attack should succeed in the Netherlands is surprising because the Dutch government exercises some of the most stringent controls over its CAs.
DigiNotar would have been obliged to undergo regular third party audits and, as a provider of certificates services under the PKIOverheid, PKI certificates used for official government business, even stricter rules apply. Some of the European Telecommunications Standards Institute (ETSI) recommendations are applied as mandatory for PKIOverheid clearance.
As an accredited provider in the EU, DigiNotar provides certificates and approved secure signature creation devices (SSCDs) to produce digital signatures that are automatically accepted as legally-recognised digital signatures – the digital equivalent of a manual signature.
How far and how deep this scandal will affect the company is only beginning to show. Despite the company release signing off with a cheery comment about Vasco not believing that “the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans”, it may still mean the end of DigiNotar.
A fatal error?
Such a widespread block by the browser makers will make sites switch to other CAs for certification but Vasco reckons this accounted for less than €100,000 of its income during the first six months of this year.
Calum MacLeod, director of Venafi, an enterprise key and certificate management (EKCM) company, pointed out that government help-lines in The Netherlands have been advising people to avoid using online services until further notice.
This shows how far trust has been eroded and, if the company loses its PKIOverheid status, it will not only bring DigiNotar down but could also seriously damage Vasco itself. At the very least, it could nullify the company’s $12.9 million spend on purchasing the subsidiary last January. At worst, it could tarnish its DigiPass PKI offering and bring down the whole company.
Vasco is fighting to prove it’s telling the truth about this side of the business being unaffected but the question is how long will that take?
If it takes too long, the Dutch government will be forced to look elsewhere to unfreeze its online services.
With another CA, Comodo, having been compromised recently, it shows that these trust vendors are not invulnerable. Perhaps it’s time for governments and local authorities generally to assess their online plans and prepare a plan should they be hit by a similar disaster.