A wildcard SSL certificate for Google, issued by Dutch Certificate Authority (CA) DigiNotar after the company was breached, has sparked concerns and raised several questions in the aftermath. The company has now suspended SSL and EVSSL sales, while Google, Mozilla, and Microsoft scramble to protect users.
According to a statement from DigiNotar, recently purchased by Vasco, a vendor dealing with strong authentication, several dozen other websites were affected by the July security breach that spawned the rogue Google certificate.
“Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time,” a statement from the CA said.
“The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations.”
Many security experts quickly noted that the first audit failed to catch the Google certificate, leading them to ponder what other domains were missed. The rogue Google cert was only flagged because Google’s browser uses an additional layer of protection. This was missing in the other popular browsers, causing Mozilla and Microsoft to release fixes that block the cert from being used, removing the compromised CA from the list of trusted root authorities.
“DigiNotar is a Dutch company which was acquired by Vasco earlier this year. Vasco - which amongst other things delivers services similar to RSA's SecurID - is a very big player on the financial market. Meanwhile DigiNotar is especially strong with governments. So the number one question racing through my mind is: How big is the compromise at DigiNotar? Does this transcend the certificate generation process? Could Vasco itself be impacted?” asked Roel Schouwenberg from Kaspersky.
“It's absolutely critical we become aware of the implications of this attack as quickly as possible. We don't need a repeat of how the RSA breach was underplayed. That helped no one.”
In addition, DigiNotar never explained why no one was warned immediately after the breach in July. While the initial audit showed nothing, it would have helped administrators and users be aware.
“A spokesman for DigiNotar told The Register that it would ‘be difficult’ for him to respond to questions about the security breach and the resulting effects it has on end users. This only seems to reinforce the notion that CAs see themselves as too big to fail and aren't accountable to end users,” wrote The Register’s Dan Goodin.
Other questionable public details include an article published by DigiNotar, translated from Dutch, which explains that 99.99% of browser warnings concerning its certificates - after the rogue Google cert was discovered - can be ignored.
“This is terrible advice. While it will be difficult for DigiNotar customers to replace their certificates with new ones, this is the only solution,” explained Sophos’ Chester Wisniewski.
“If DigiNotar published the list of domains their certificate fraudulently signed this would be easier. The existing certificate system may not be ideal, but certificate warnings should not be ignored.”
To make matters worse, F-Secure discovered evidence that suggests DigiNotar was compromised years ago, twice. More information is available here.