back to article Dutch CA banished for life from Chrome, Firefox

The network breach in July that forged a near-perfect replica of a Google.com credential minted more than 200 other SSL certificates for more than 20 different domains, a top manager for Mozilla's Firefox browser said. In stern rebuke of substandard practices at Netherlands-based certificate authority DigiNotar, Director of …

COMMENTS

This topic is closed for new posts.
  1. Herby

    Major fail here!

    Which warrants the "death penalty" imposed. Fortunately no lives were (reported) lost in this transgression.

    1. Mike007 Bronze badge

      reported?

      I very much doubt they would issue a press release after "disappearing" the evil low life scum who dared to commit the ultimate sin of disagreeing with their government.

  2. Anonymous Coward
    Thumb Down

    No lives lost...

    But I find it hard to believe the Iranian authorities did this for the benefit of their citizens...

  3. Anonymous Coward
    Anonymous Coward

    Maybe worth noting:

    The PKIOverheid ("govt PKI") consists of a root CA cert and some six or seven organisations with subcerts signed by that. The two diginotar subcerts is what got rescinded. Though I haven't been able to find a relevant CRL with them listed in it (yet? it's saturday).

    Beyond diginotar putting their foot in by staying mum, note that updating to the latest and greatest browser with the latest certificate collection /and hardcoded blacklist/ is actually deemed more practical than using the mechanisms designed for revoking certificates.

    It's also worth noting that plenty of govt organistations acted completely cluelessly in the wake of this. Such as claiming they couldn't do squat about it (get a certificate from someone else to secure your website, stat), or putting out a answerphone recording explaining to "just click through" the warnings to make them go away.

    It took apparently an entire evening and a sack of experts to explain to the minister what the problem was and to decide to do anything about it. Actually doing anything... well, diginotar is a governmental contractor, perhaps that's an indication.

    1. Havin_it
      Joke

      Thanks for explaining PKIOverheid

      Cause ah wiz pure wunnerin' why aw thir PKI wiz overheid, ken. Did they put it aw in a tree or summin?

  4. Anonymous Dutch Coward
    Megaphone

    Press conference

    Press conference:

    http://www.dumpert.nl/mediabase/1691651/f0bb030b/persconferentie_donner_over_hack_overheidssites.html

    Some quick notes on what the minister said, hope it's a good representation of the original:

    Items:

    - Diginotar has own-branded and* PKIOverheid certs.

    - Diginotar was attacked.

    - Friday results of investigation by Fox IT security company: PKIOverheid certs managed by Diginotar may be compromised

    - Government does not trust Diginotar certs anymore

    - Government will switch to other PKI cert supplier

    - Phased transition of operational management of all Diginotar [PKI Overheid certs

    - Diginotar will cooperate

    - monitor improper/fraudulent use during transition phase

    - security experts will help in transition

    Results: transition without big interruptions of data traffic

    Q&A:

    Will compromised sites be kept up?

    Yes, although this will lead to certificate warning in browser. User should not use site.

    How many sites?

    We're tracking that down. It involves hundreds of sites.

    Why aren't sites taken down?

    They're also used for automated traffic, so we're not taking them down. Therefore we're taking over Diginotar [PKI overheid cert] operational management.

    Isn't automated process unsafe then?

    We immediately see improper use because we're taking over operational management

    You're taking over operational management [at Diginotar]. Will this mean a government team will step in, and take over control?

    Yes, management/responsibility will be taken over by government. This will ensure any improper use will be immediately detected.

    What do you think of this?

    These are risks with new technology. It's a break-in, an interruption of reliable traffic.

    Does Fox IT research show the Iranian government was behind this?

    They can't investigate that. Report only shows hacking has taken place, andcerts have been stolen. We don't know extent of this. We

    We cannot see where the certs where used. By taking over management, we will be able to see this.

    Investigation of who did this hack is the next step.

    PKIOverheid may be compromised. How many government certs/sites are involved?

    Diginotar is requested to give list of all government customers , Government initial investigation indicated a lot of sites involved e.g. revenue services, motor vehicle department are involved.

    Who will be hit, how long?

    Don't know, will take a couple of days. E.g. motor vehicle department site has already taken steps to switch certs and be usable again

    =====================================================

    * some PKIOverheid certs are managed by DigiNotar, not all as there are other suppliers as well

    =====================================================

    How will they "monitor" improper use? When people start complaining their personal data has been stolen?

    The story that government can track down improper use of certs by taking over Diginotar management seems ridiculous, but Donner may be a bigger PKI/SSL expert than I am...

  5. Version 1.0 Silver badge
    Devil

    There needs to be accountability

    Yes - shut them down. Too often corporate entities like this are allowed to say "sorry" and carry on or get bought out / sold to another company with no real consequences other than the management being force to retire with multimillion dollar pensions. Oh the pain, the pain.

    But let's face it CA security is only as good as the weakest link - and these days that link is made of Plasticine.

  6. Anonymous Coward
    FAIL

    Our (Dutch) government are idiots IMO

    Plain and simple..

    When the government looks for companies to get the job done they don't look for quality, they look at price. Which is where I believe DigiNotar came into the picture. And if you can provide the government you can send huge bills which, after a few years (they're not that quick) will be hopefully paid.

    It becomes peculiar when we see other branches of the government who rely on Verisign for their certificates. Just check the Dutch employment site: https://www.werk.nl/ ("werk" means "work").

    SO like why does a "branch" get "topnotch" security and the main government websites rely on some shadey provider ? Well, that's the Dutch government for you!

    Oh; and if you want a nice example of why I think there is a lot of incompetence running around just try going to: https://werk.nl/ No; that error is not raised due to problematic certificates, only due to some poor excuse for a webmaster (IMO of course) who apparently has never heard of redirects and such.

    1. Anonymous Dutch Coward
      Pint

      Re: Dutch government idiots

      I agree.

      They could have actually... you know... written up sensible requirements, and only THEN gone for the lowest bidder. Then sue them if they didn't deliver according to reqs.

      I even suspect it doesn't matter if it's cheap or expensive - the government won't get the things they need because they didn't specify them well. Sure, if the supplier makes a bundle he'll be more likely to toss in a few freebies not specified in the specs, as they're paying through the nose already...

      Ah well, time to get a drink, my cynicism meter seems to be in the red again...

  7. Anonymous Coward
    Thumb Up

    Death to all CAs that do not protect the chain of trust

    PKI is the highest assurance role you can have in the world of government and e-commerce. So many of these CAs are so lazy and lax on their security and seriousness and fallen into disrepair and greedy business bastards that they need to be IMMEDIATELY EXTERMINATED from the PKI world and hence greater world on their first and final stuff up. Otherwise the Chain of Trust and high Assurance is completely and irrevocably broken.

  8. Wintermute
    Go

    Tempest in a Teapot; move along people, there's nothing to see here.

    The real story here is that Public Key Infrastructure (PKI) works: DigiNotar cannot be trusted and so those who maintain the mainstream browsers have removed it from the lists of trusted root certificates.

    If there is any lesson to be learned here it would be to create a well-defined, repeatable revocation process for everyone to follow so that future cases can be handled with speed and ease, both of which are necessary for a breach like this.

    1. Gordon 10

      Fubar'd more like.

      Diginotar was compromised for weeks and there was no easy way to determine this externally before any damage had be done.

      That's a ludicrous definition of "works" in July book.

      Any system that of trust trust where a commercial company is relied on to do the right thing even if this causes damage to their bottom line is fundamentally flawed and needs fixing.

      For a similar example see RSA.

    2. Anonymous Coward
      Anonymous Coward

      actually, it doesn't

      There is one, but it isn't fully implemented. If it was, DigiNotar would have been able to revoke the forged certificates and all browsers would have stopped trusting them. Unfortunately, browsers don't check certificate chains and revocation status by default (at least not all browsers), so just because a CA revokes a certificate doesn't mean that a browser will stop trusting it.

      Also, since the changes are being made to the browser, via an updated version, quite a large percent of users will not get this protection since they don't update anyway.

      The sledge-hammer solution is to force CRL checking to be enabled and prevent users from bypassing it. Unfortunately, doing this will break every product that comes with self-signed certificates that requires SSL.

      Most companies don't run their own internal CA or don't want to pay for certificates for racks of internal servers (or a single wildcard cert).

      I'm not sure what the best solution is. In my case, I run my own internal CA's, and have distributed those CA certs to all of my machines and browsers, so if CRL checking is forced, I'll be fine.

  9. DrXym

    CAs are such a racket

    If I want to encrypt my website, I either have to pay (in time or money) for a CA to issue a cert to me, good for 1 year. Or I use a self signed cert which throws a bunch of scary warnings at users.

    I believe that sites should be able to expose a PGP public key or a PGP signed SSL cert and that secure encryption would proceed with that. The browser wouldn't show a bunch of scary warnings but it would encourage users to inspect the web of trust to ensure if they trust the site.

    PGP signing wouldn't be suitable for large organisations but it sure would for individuals, intranets and small orgs. It would free a lot of sites up from having to fork out for a cert who's only purpose is to suppress some scary dialogs and which doesn't bestow the site with any measure of trust beyond that.

  10. Jake Rialto 1
    FAIL

    Third Party Security Assessment anyone??

    They could have used this

    https://www.securityforum.org/userfiles/public/ISFMarketingBrochureTandM.pdf

    Not just a flowery Q&A sheet where you get to put comments. There is a requirement to VALIDATE what the third party states.....because every thing looks good on paper and vapouware PDF's....

    Third Party Security Assessment Tool (TPSAT)

    This tool enables information security assessments of third

    party relationships. The tool assesses the strength of third party

    security arrangements using questionnaires on business impact

    assessment; contractual provisions covering information

    security; third party information security arrangements; third

    party information security controls; and exit and termination

    arrangements.

This topic is closed for new posts.

Other stories you might like