DigiNotar a weathervane of failed trust

By on
DigiNotar a weathervane of failed trust

The fraudulent Google.com SSL certificate issued by Diginotar may be one of many, according to analysts.

The Dutch certificate authority (CA) admitted yesterday it issued fraudulent certificates - including a *.google.com wildcard - after it was hacked.

Diginotar revoked an unnamed number of affected certificates while Microsoft, Google and Mozilla blacklisted the CA's root certificate.

The Digitnotar breach permitted the "fraudulent issuance of public key certificates for a number of domains, including Google.com," according to the statement from US company VASCO, which owns DigiNotar.

But a code analysis of the upcoming Google Chrome release first identified by The Register shows fraudlent certificates could have been issued for hundreds of websites. 

The analysis identified that Google would blacklist 257 certificates in Chrome, up from 10 in the current version.

Neal Wise, director of penetration testing firm Assurance.com.au said the Chrome blacklist could encompass DigitNotar SSL certificates used by a large number of web sites, along with intermediate signing certificates.

"I could almost guarantee that it was not just Google that the certificates were issued," Wise said,.

"Maintaining this [list] in the browser code will get old once we're talking about thousands and thousands of revoked certificates from similar CA problems in the future."

Intermediate signing certificates are CAs used to create SSL certificates. It allowed a root CA to be used in the event that the intermediate CA was compromised or revoked.

 
He said SSL sessions established by Chrome would likely consult the list against the serial number of certificates served.
A sample test of signatures in a pastebin dump of what appeared to be revoked DigiNotar certificates did not match against the Chrome list. But Wise noted that the signatures could refer to different certificate lists, or the lists may simply contain serial numbers and fingerprints respectively.
He said the breach may be a result of problems with DigiNotar's request/requestor validation process or with application flaws in its ordering system.

Wild west

The DigiNotar breach was for many a symptom of deep problems with the certificate trust model.

For Wise, the breach highlights the danger of wildcard certificates because they were valid across a string of subdomains for a nominated site.

"We have been telling people for 10 years that wildcards are a bad idea," Wise said. "You get fly-by-night CAs selling certificates for $10 without concern for security or who they are selling to."

Wise had often grabbed wildcard certificates in penetration tests and used them to compromise client systems.

"It increases risk, and makes it so much harder to defend," he said.

It raised bigger issues about the much-troubled trust model that underpins certificates, according to AVG threat researcher and Virus Bulletin contributor Nick Fitzgerald.

"In face-to-face interactions with strangers over thousands of years, humans have developed a process of being reticent about things that we are told by strangers - it's why we mightn't trust used car salesmen and the like," Fitzgerald said.

He points to a 2001 breach in which Verisign accidentally issued Microsoft certificates to someone posing as a Microsoft employee. 

"No one in their right mind should trust major certificates authorities, the really big ones, because at some point they have released fraudulent certificates.

"By rights, if the chain of trust is upheld, [breached] CAs should be removed, but in Microsoft's case that should have invalidated maybe 25 percent of the certificates."

Non-technical end users were particularly exposed by the certificate model. Fraudulent certificates can be used to impersonate web sites and intercept account information.

Security researcher Moxie Marlinspike, who launched the Convergence project as an alternative to the trust model at the DefCon conference this month, had long-called for the framework to be replaced.

Suspended

In response to this apparent in-the-wild attack, VASCO said it plans to indefinitely suspend the sale of its traditional and extended-validation (EV) SSL certificates.

"The company will only restart its SSL and EV SSL certificate activities after thorough additional security audits by third-party organisations," the statement said.

Typically, users that visit websites that have been issued forged certs are unlikely to notice anything amiss, said Christopher Soghoian, a noted privacy researcher.

In an attempt to quell any speculation that hackers impacted other parts of VASCO's network, the company said the compromise was confined to its CA environment.

"The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO's strong authentication business," the company said.

Regardless of the scope, the incident highlights the precarious nature of the current CA system.

In March, hackers gained access to competitor Comodo's certificate generation system to fabricate nine fraudulent credentials for big-name sites like Google, Yahoo, Skype and Microsoft's Hotmail. An independent Iranian hacker claimed responsibility.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
certificate diginotar google security trust

Partner Content

Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Comms Group to spend $10m to buy TasmaNet business and assets

Comms Group to spend $10m to buy TasmaNet business and assets

Log in

Email:
Password:
  |  Forgot your password?