Disgraced digital certificate firm DigiNotar has filed for bankruptcy in The Netherlands. Hackers broke into DigiNotar's systems in June before creating forged digital certificates in the names of Google and other high-profile targets. The forged Google.com SSL credentials were used to spy on 300,000 Iranian internet users, …
Fixed it for you
A cluless civil servant for the Dutch government, probaly at the beheist on even move cluless politicain, initially decided to issue the standard political denial of a problem even existing, said that PKIoverheid site certs issued by DigiNotar were still trustworthy, but then changed its mind after talking to sombody who actually knows something about the subject matter after getting wind of a damning security audit of DigiNotar's systems and ditching the firm.
I went on a visit there in 2004; they were making eGovernment actually work, but when you have the concept of the notary in public life already, making PKI work is a bit of a no-brainer. They were doing digital signing of smart cards containing methadone prescriptions and medical case notes for access only in A&E. The NEC technology they used was very interesting.
So who did Vasco's Due Diligence?
And why did no-one at Vasco spot the problems between January and June? Despite their best efforts to deflect the blame, it hardly reflects well on them either.
already asked that - still haven't heard
<this body is optional....I wish mine was>
Fail -> Massive Fail -> Diginotar.
Yesterday, the site of Diginotar had a new cert from guess who....: Comodo. I almost fell from my chair laughing.
Today, they are redirecting from https to http.
These guys seriously don't get it.
And here is the problem: security based on the sale of trust that is effectively irrevocable
Have Comodo gone out of business? No because, as Moxie Marlinspike and others have been pointing out, they are too big to be held accountable by any of the other commercial or regulatory (haha) players in the current internet system of trust. And we, the Joe/Joanne Schmoe users of the net do not have any means of keeping them honest.
We really do need to invert the trust model and create a distributed system where we are in control of who we trust and there are no monopoly commercial interests milking the system for their own profit. Let's hope that something like Moxie's Convergence project takes hold so we are no longer beholden to unaccountable CA cartels.
Forgive me being stupid, but, DigiNotar just went bust because every browser out there revoked their trust. And Comodo are still in business because apart from the subset signed by DigiNotar there's no evidence that their certificates aren't still trustworthy.
I'm not sure that the sky is falling.
@Ken: No, the sky is not falling...
...but the current trust model means that we are perpetually at risk of a weak link (like DigiNotar or one of the many Comodo resellers - and by the way DigiNotar was a wholly owned subsidiary of Vasco not Comodo, the Comodo hacks were back in the Spring and beyond) being broken at which point many thousands of end users are likely to get burned in some way.
You may be lucky and simply lose a few hundred notes on a TV that you thought you were buying online. Or you may be unlucky and your government decides they don't like the e-mails you've been sending and arrange a blind date between your genitals and Mr Mains-Cable in a cosy cell somewhere.
And no you're not being stupid, those involved in the CA system are as tight-lipped about the risks as the banks are about card fraud: "Nothing to see here, everything is fine, carry on spending" - because it would hurt their profits if they actually dealt with the problems. On the other side the mainstream media seem blind to this issue: maybe because it's a bit technical or perhaps because they're all iPhone users and they've been told by Saint Jobs that they're safe.
But if you trawl around the geek press and places that focus on security it's all there. El Reg's coverage is pretty good, Heise Online (http://www.h-online.com/) is good and Bruce Schneier's blog (http://www.schneier.com/) is excellent. On this particular topic Moxie Marlinspike's presentation on the CA trust model is a must: http://www.youtube.com/watch?v=Z7Wl2FW2TcA
I view this merely as evolution in the certificate issuing business. Companies whose business is security or security related need to make sure their own house is in order - from this ordeal that much is clear. Those that don't will promptly sink without trace. If it weren't for the global reliance on its devices/solutions then I suspect RSA could have gone the same way. That it didn't is reflective of its domination and the fact that, on the other hand, certificate issuers are two-a-penny.
It's not about getting caught...
"it's not about not getting caught being hacked. On the contrary: it's about doing the right thing once you have been hacked."
Or, y'know, not being hacked?
Tits up? No "Kapot en over de kop!" :-)
Yes, that's Dutch up there but then again this was a Dutch company you know ;-)
Anyway, this shouldn't come as a surprise. Investigation results already leaked here and there and rumors have it that these guys didn't even run virus scanner on their desktop workstations and that the server software being used was outdated as well.
If that isn't simply asking for it then I don't know what is.
Apparently our government does know since they had full trust in these guys.
you saying they didn't have automatic updates turned on? Naaaah!
We have a new "-tard":
Diginotards :- people who believe that insisting there is no problem makes it so.
This certificate is not ready yet!
Successful targeted hack?
If Comodohacker really is behind this, his 'manifesto' makes for interesting reading:
"I won't talk so many detail for now, just I wanted to let the world know that ANYTHING you do will have consequences, ANYTHING your country did in past, you have to pay for it [...] I was sure if I issue those certificates for myself from a company, company will be closed and will not be able to issue certs anymore [...] Dutch government's 13 million dollars which paid for DigiNotar will have to go DIRECTLY into trash, it's what I can do from KMs away."
And isn't that pretty much what's happened? Simplistic ideological motivations aside, does this represent the first (known) time that a lone hacker has targeted an organisation with a specific consequential goal in mind, and achieved that goal? I certainly can't think of another one.
As for DigiNotar, if the lack of security and the thing about the 'pr0d@dm1n' password is true they didn't deserve to be operating in the position of trust that they were.
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Analysis Who is the mystery sixth member of LulzSec?
- Prankster 'Superhero' takes on robot traffic warden AND WINS
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE
- Analysis Hey, Teflon Ballmer. Look, isn't it time? You know, time to quit?