I've been following the DigiNotar story as it evolved for a few days now with growing concern and increasing alarm. I'm by far not privy to the inside information to be able to really assess and audit the situation, so this is purely based on what is publicly known. Being a Dutch native speaker I have access to what the press in the Netherlands writes about it with the subtle nuances that an automated translation will not capture. I do lack the resources to independently double verify everything and as such some errors might still be in it, consider this a best effort at creating some overview and leading up to conclusions with the limited information that is available. If we do attract the attention of DigiNotar and/or Vasco: please do contact us, we'd love to talk to you and get more information! So who is DigiNotar and what do they do when all is normal? DigiNotar is a CA. They sell SSL certificates, also the EV kind. But there is more that's mostly of interest to those in the EU or the Netherlands only: They are also (I'm simplifying a bit, I know) an accredited provider in the EU and provide qualified certificates and approved SSCDs to customers to create digital signatures that -by law- in the EU are automatically considered to be qualified digital signatures and as such they are automatically equivalent to manual signatures. This status forces regular 3rd party audits against the relevant Dutch law and standards such as ETSI TS 101 456. They also provide certificates services under the PKIOverheid umbrella in the Netherlands. This has even more and stricter rules. e.g. Things that are suggested in the ETSI standards, but not mandatory, can become mandatory for PKIOverheid. DigiNotar is a 100% daughter company of Vasco (since Jan 2011), so if you see Vasco sometimes doing things like press releases regarding the incident, that's why. So what do we know in a chronological order ?
Analysis of the CRLs DigiNotar claims all breaches were under the "Public 2025 Root" ref [in Dutch]. What "root" does in there is somewhat unclear to the technical inclined mind, and the "public 2025" just seems to be some sort of internal name. Let's assume they meant the fraudulent certificates all were signed by the same intermediate. The CRL indicted in the fraudulent *.google.com certificate does indeed point in the same "public 2025" direction, so let's get that CRL: $ wget http://service.diginotar.nl/crl/public2025/latestCRL.crl Let's make this file human readable: $ openssl crl -text -inform DER -in latestCRL.crl >/tmp/t And let's verify there is indeed the Serial Number in there of the *.google.com fake certificate we found on pastebin: $ grep -i "05e2e6a4cd09ea54d665b075fe22a256" /tmp/t Serial Number: 05E2E6A4CD09EA54D665B075FE22A256 So yes, it's revoked. Getting the other relevant lines (it means first figuring out how many, but I skip the boring part). $ grep -i -A4 "05e2e6a4cd09ea54d665b075fe22a256" /tmp/t Serial Number: 05E2E6A4CD09EA54D665B075FE22A256 Revocation Date: Aug 29 16:59:03 2011 GMT CRL entry extensions: Invalidity Date: Aug 29 16:58:47 2011 GMT So that checks out nicely. [One should of course check that all signatures are valid everywhere] Unfortunately one can only see the Serial Number of the certificates revoked, not the more juicy fields like the CN or so that would allow to see what and when other (fake) certificates were revoked. But since we have the revocation date, maybe we can see the peak where they revoked the fraudulent certificates. I know the nature of revocation and any other work in a CA/RA can be highly cyclic with huge peaks in it, and I know not to worry about any revocation as such, users loosing control over a certificate happens all the time. So let's see revocation activity in July 2011 split out per day: $ grep "Revocation Date:" /tmp/t | sed 's/^.*Date: //' | sed 's/..:..:.. //' |sed 's/GMT//' | sort -n | uniq -c | grep 'Jul .* 2011' 1 Jul 1 2011 3 Jul 4 2011 3 Jul 5 2011 6 Jul 6 2011 6 Jul 7 2011 1 Jul 8 2011 2 Jul 11 2011 6 Jul 14 2011 1 Jul 15 2011 1 Jul 18 2011 2 Jul 19 2011 1 Jul 20 2011 1 Jul 21 2011 3 Jul 22 2011 3 Jul 26 2011 7 Jul 28 2011 5 Jul 29 2011 Uhmm, where is the "dozens" on July 19th ? Since the *.google.com one was made on Jul 10th, there is no dozens neither before nor shortly after the 19th. They might have been added to another CRL, hard to say as DigiNotar does not allow directory listing and doesn't have an easy to find list of CRLs they publish either. Still, even if we look at the "normal" workload in 2011: $ grep "Revocation Date:" /tmp/t | sed 's/^.*Date: //' | sed 's/..:..:.. //' |sed 's/GMT//' |grep 2011| sed 's/ .. 2011//'| sort -n | uniq -c 93 Apr 34 Aug 112 Feb 144 Jan 52 Jul 18 Jun 118 Mar 118 May We see that the Jun/Jul and Aug months are very light on revocations. [Note that August was not yet complete in GMT time when I downloaded the CRL file]. I know my sed, grep commands could be optimized to save a few CPU cycles, but this isn't a unix lesson. I'd love to see the "dozens" of revocations around July 19th in a DigiNotar CRL, but I simply cannot find them. So what's the known impact right now:
What is the biggest thing we all lack to better see what impact there is/was ?
Obviously it's unlikely we'll get all those details publicly, but the more we get the easier it will be to keep the trust in the SSL "system" in general and more specifically in DigiNotar. Glossary
-- |
Swa 760 Posts Sep 1st 2011 |
Thread locked Subscribe |
Sep 1st 2011 1 decade ago |
Were these Organization-Validated certs? As far as I can tell from DigiNotar's site, they don't seem to offer domain validated certs.
|
Anonymous |
Quote |
Sep 1st 2011 1 decade ago |
Thanks so much for the translation, Swa.
> So a compromise that an unnamed auditor working for well known audit company X is now not an auditor anymore You know as well as anyone that most Security Auditors are little more than brainless checkbox cowboys. Auditors even more so, since they're supposed to follow a NOT ad-hoc process. If someone does need to go, it'd be the process creator - but I'd suggest that this is a better opportunity to demonstrate that most secaudits are useless feelgood. Compliance != Competence. Compliance != Correct. Compliance != Secure. > Clarity over what was affected by the hackers, a full report would be really nice to read ... from that same group that buried the incident, then (possibly) lied about revocations? Not sure we need to care about the details anymore - about the only thing we'd prove is that CA scheme is a classic confidence racket, without exception. |
Steven 42 Posts |
Quote |
Sep 1st 2011 1 decade ago |
Users can also just delete the DigiNotar keys in various applications. Mozilla has directions here for Firefox and Thunderbird: http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
The process is probably similar for other browsers but I'm not sure. Apparently a few browser houses haven't updated their software yet so this is the one way to block potentially fraudulent sites if you can delete the sertificates or render them untrusted. |
Steven 9 Posts |
Quote |
Sep 1st 2011 1 decade ago |
Dang... Certificates... Certificates... Not "sertificates"...
|
Steven 9 Posts |
Quote |
Sep 1st 2011 1 decade ago |
If I'm reading your spreadsheet correctly you show that the certificates have expired. If you are looking for these on a current CRL they will not be there, expired certificates typically drop off of the CRL.
|
Steven 1 Posts |
Quote |
Sep 1st 2011 1 decade ago |
This is a disturbing event, and explains why, in the early days, obtaining a cert was not unlike a personal background investigation. Sadly, trust seems to have left barn along with the horses.
I hope that this is a wakeup call for the other CA's to resume very strict controls, both technical and procedural. With due respect, Steven, I'm very sorry to see your rant about auditors. Certainly, as with any specialty, there are the 'check-boxers'. However, my experience as a security analyst/engineer/manager/officer has been with generally competent and conscientious auditors who are capable of thinking outside the checkbox. I agree that Compliance != Security, but I hope you can agree that if you can successfully tackle both, you have mitigated a good chunk of both business risk and security risk. |
Anonymous |
Quote |
Sep 2nd 2011 1 decade ago |
Call me simple minded... but I think in addition to some ideas floating around with DNSSEC, and crowd-sourcing (with an idea like convergence.io) [totally ripped this from http://security.blogoverflow.com/2011/08/31/a-risk-based-look-at-fixing-the-certificate-authority-problem/]... you could simply have browser authors and vendors of locally maintained certificate stores (like the author of Windows, Microsoft) verify that CA's meet a certain baseline security via an audit.
Sounds like a third-party consortium, and an approved list of providers could be used. I can't believe these people can't secure their assets; it drives me crazy. |
mbrownnyc 19 Posts |
Quote |
Sep 2nd 2011 1 decade ago |
I'm for internet death penalty on the second violation.
|
mbrownnyc 39 Posts |
Quote |
Sep 2nd 2011 1 decade ago |
GovCERT.NL just published a FactSheet: https://www.govcert.nl/english/service-provision/knowledge-and-publications/factsheets/factsheet-fraudulently-issued-security-certificate-discovered.html
|
otmar 4 Posts |
Quote |
Sep 5th 2011 1 decade ago |
I think they've actually run out of room to pound any more nails into this coffin, and are now just duct-taping them by the boxload along the sides and top of it.
(Rogue SSL certs were also issued for CIA, MI6, Mossad <snip> from one to a couple dozen to over 250 to 531) http://www.net-security.org/secworld.php?id=11565 |
Steven 42 Posts |
Quote |
Sep 5th 2011 1 decade ago |
I think its time that there are a list of "High Value" targets (such as Google, MS, Mozilla, an others that have been abused in this way) and make it required for them to have multiple signing CA's for their certificates to be considered valid... the odds of one breach are apparently quite high... the odds of say three at the same time should be somewhat significantly reduced...
|
Anonymous |
Quote |
Sep 5th 2011 1 decade ago |
Dutch government takes control of DigiNotar CA
- http://h-online.com/-1337286 5 September 2011 . |
Jack 160 Posts |
Quote |
Sep 5th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!