Jump to content

DigiNotar

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Brbbl~enwiki (talk | contribs) at 10:18, 6 September 2011 (little history of DigiNotar). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

DigiNotar is a Dutch certificate authority owned by VASCO Data Security International. Diginotar was founded in 1997 in Beverwijk as an initiative of the KNB (Royal Notarial Association) and notary Dick Batenburg to act as a TTP for the notaries. It was aqcuired by Vasco in 2010. [1]

In a VASCO press release dated June 20, 2011, VASCO's president and COO Jan Valcke is quoted as stating "We believe that DigiNotar's certificates are among the most reliable in the field."[2]

Issuance of fraudulent certificates

On July 10, 2011, DigiNotar issued a certificate for Google to unknown persons in Iran that was used for a man-in-the-middle attack against GMail.[3][4] On August 28, 2011, problems were observed on multiple Internet service providers in Iran.[5] The fraudulent certificate was posted on pastebin.[6] According to a news release by Vasco, DigiNotar had detected an intrusion into its certificate authority infrastructure on July 19, 2011.[7] DigiNotar did not publicly reveal the security breach at the time.

While it was initially thought only a fraudulent *.google.com certificate had been issued,[8] DigiNotar belatedly admitted dozens of fraudulent certificates have been created, including certificates for the domains of Yahoo!, Mozilla, WordPress and The Tor Project.[9] DigiNotar could not guarantee all of them had been revoked.[10] Google has blacklisted 247 certificates in Chromium.[11] Investigation by F-Secure revealed that DigiNotar's website has been defaced by Turkish and Iranian hackers since 2009.[12]

In reaction, Microsoft removed the DigiNotar root certificate from its list of trusted certificates with its browsers on all supported releases of Microsoft Windows to protect its users.[13] Likewise, Mozilla released new versions of its Firefox browser, revoking trust in the DigiNotar root certificate.[8] Google Chrome was able to detect the fraudulent certificate, but Google still removed DigiNotar from the list of trusted certificate issuers.[3] Opera always checks the certificate revocation list of the certificate's issuer and did not need a security update.[14][15] Safari and Mac OS X do not detect the certificate's revocation, and users must use the Keychain utility to manually delete the certificate, then restart Safari, to clear DigiNotar certificates from the system.[16]

A DigiNotar-controlled intermediate, operationally separate from where the initial breach was detected, was in charge of issuing certificates as part of the Dutch government’s public key infrastructure "PKIoverheid" program, chaining up to the official Dutch government certification authority ("Staat der Nederlanden"), also covering the identity management platform DigiD, which is used by various services and websites of government agencies including the Tax and Customs Administration.[17] Due to DigiNotar's certificate having been revoked, the chain of trust for their certificates was broken, and it was difficult to access these services.[18] GovCert, the Dutch computer emergency response team, initially did not believe the PKIoverheid certificates had been compromised,[19] although security specialists were uncertain.[10][20] Because these certificates were initially thought not to be compromised by the security breach, they were, at the request of the Dutch authorities, kept exempt from the removal of trust[21][17] – although the active "Staat der Nederlanden" root certificate was overlooked by the Mozilla engineers and accidentally distrusted in the Firefox build.[22] However, this assessment was rescinded after an audit by the Dutch government, and also the "Staat der Nederlanden" certificates were revoked.[17] The remaining PKIoverheid certificates issued by DigiNotar were blacklisted by Mozilla in the next security update.[23] The Dutch government announced on September 3, 2011, that they will switch to a different firm as certificate authority.[24]

The incident caused a fall in the price of VASCO stock.[25]

Steps taken by the Dutch Goverment

After the initial claim that the certificates under the PKI Rijksoverheid CA weren't affected but when further investigation by an external party, Fox-IT consultancy, couldn't fully guarantee that, the Dutch goverment decided on 3 September to withdraw that earlier statement that 'nothing was wrong'[26]. DigiNotar was only one of the available CA's so not all certificates used by the Dutch Goverment under this root-CA had problems. When the Dutch goverment decided that they had lost their trust in DigiNotar and the certificates thet issued under the special Overheid root-CA they took two major steps: they took back the full control over all the issued certificats under PKI Overheid from the company and they replaced the untrusted certificates with new ones from one of the other providers[26]. The much used DigiD platform now uses a certificate issued by Getronics PinkRoccade Nederland B.V a subsidiary of KPN which is valid from 4 September, 2011 at 01:00:00 hrs and expires on 1 January, 2012 at 0:59:59 hrs[27]. According to the Dutch goverment the company, DigiNotar, gives all required support in above procedures.

Currently there are three Certification Service Providers (=CSP) that can issue certificates under the PKI Rijksoverheid Root-CA[28]

  • ESG or de Electronische Signatuur[29]
  • QuoVadis[30]
  • Getronics Pink Roccade. Pink Roccade was an IT consultancy company specialized in security which was aquired by Getronics in 2005. In 2007 KPN bought Getronics.

All these three companies have opened special helpdesks and/or published information on their websites how organisations that have a PKIOverheid certificate from DigiNotar can request a new certificate from one of the remaining three CSP's[29][30][31]

See also

References

  1. ^ "VASCO Data Security International, Inc. announces the acquisition of DigiNotar B.V., a market leader in Internet trust services in the Netherlands" (Press release). VASCO Data Security International. January 10, 2011. Retrieved August 31, 2011.
  2. ^ "VASCO Tackles Global SSL-Certificate Market". MarketWatch. 20 June 2011.
  3. ^ a b Heather Adkins (29 August 2011). "An update on attempted man-in-the-middle attacks". Google. Retrieved 30 August 2011.
  4. ^ Elinor Mills. "Fraudulent Google certificate points to Internet attack". CNET, 8/29/2011.
  5. ^ Charles Arthur (August 30, 2011). "Faked web certificate could have been used to attack Iran dissidents". The Guardian. Retrieved August 30, 2011.
  6. ^ "Fraudulent certificate triggers blocking from software companies". Heise Media UK Ltd. 30 August 2011.
  7. ^ "DigiNotar reports security incident". VASCO Data Security International. 30 August 2011. Retrieved 1 September 2011.
  8. ^ a b Johnathan Nightingale (August 29, 2011). "Fraudulent *.google.com Certificate". Mozilla Security Blog. Mozilla. Retrieved August 30, 2011.
  9. ^ "Mogelijk nepsoftware verspreid naast aftappen Gmail". Sanoma Media Netherlands groep. 31 August 2011.
  10. ^ a b "DigiNotar: mogelijk nog valse certificaten in omloop". IDG Nederland. 31 August 2011.
  11. ^ Keizer, Gregg (31 August 2011). "Hackers may have stolen over 200 SSL certificates". F-Secure.
  12. ^ Hypponen, Mikko (30 August 2011). "DigiNotar Hacked by Black.Spook and Iranian Hackers".
  13. ^ "Fraudulent Digital Certificates Could Allow Spoofing". Microsoft Security Advisory (2607712). Microsoft. August 29, 2011. Retrieved August 30, 2011. {{cite web}}: Italic or bold markup not allowed in: |work= (help)
  14. ^ "Opera 11.51 released". Opera Software. 30 August 2011. {{cite web}}: Cite has empty unknown parameter: |1= (help)
  15. ^ Vik, Sigbjørn (30 August 2011). "When Certificate Authorities are Hacked". Opera Software.
  16. ^ "Safari users still susceptible to attacks using fake DigiNotar certs". Ars Technica. September 1, 2011. Retrieved September 1, 2011.
  17. ^ a b c Johnathan Nightingale (September 2, 2011). "DigiNotar Removal Follow Up". Mozilla Security Blog. Retrieved September 4, 2011.
  18. ^ Schellevis, Joost (30 August 2011). "Firefox vertrouwt certificaat DigiD niet meer". Tweakers.net (in Dutch).
  19. ^ "Frauduleus uitgegeven beveiligingscertificaat". 30 August 2011.
  20. ^ Schellevis, Joost (31 August 2011). "Overheid vertrouwt blunderende ssl-autoriteit". Tweakers.net (in Dutch).
  21. ^ Schellevis, Joost (31 August 2011). "Firefox vertrouwt DigiD toch na verzoek Nederlandse overheid". Tweakers.net (in Dutch).
  22. ^ "Bugzilla@Mozilla – Bug 683449 - Remove the exemptions for the Staat der Nederlanden root". Retrieved 5 September 2011.
  23. ^ Gervase Markham (3 September 2011). "DigiNotar Compromise". Retrieved 3 September 2011.
  24. ^ "Security of Dutch government websites in jeopardy". Radio Netherlands Worldwide. September 3, 2011. Retrieved September 3, 2011.
  25. ^ "US HOT STOCKS: CoreLogic, Dollar General, Winn Dixie, Barnes & Noble". Wall Street Journal. 30 August 2011.
  26. ^ a b Newsrelease Dutch Goverment: Overheid zegt vertrouwen in de certificaten van Diginotar op, 3 September,2011, visited 5 September, 2011
  27. ^ See certificate on Request DigiD account, visited 5 September, 2011
  28. ^ Website Logius:Replacing Certificates, visited 5 September, 2011
  29. ^ a b PKIOverheids certificates, visited 5 September, 2011
  30. ^ a b Website Dutch office of Quovadis onPKIOverheid, visited 5 September, 2011
  31. ^ Website Getronics on Requesting PKIOverheid certificate, visited 5 September, 2011
Retrieved from "https://en.wikipedia.org/w/index.php?title=DigiNotar&oldid=448726805"