More on DigiNotar Hack

There have been quite a few more news stories about the attack on the Dutch Certificate Authority [CA] DigiNotar, which I wrote about in the previous post.  I’ll try to summarize some of the new information here.

The Dutch Government, which had used DigiNotar to implement some certificates for government use, has issued a fact sheet (in English) on the incident.  It summarizes the facts in the incident and the government’s response.

• The Dutch government denounces trust in certificates issued by DigiNotar.
• After an intrusion in DigiNotar systems, probably several hundred fraudulent certificates were issued.
• A fraudulent certificate for google.com is actually used by attackers.
• There are no Dutch government certificates among the known fraudulent certificates.
• Visitors of websites might get warning messages that websites can no longer be trusted.
• Server-to-Server communication that is based on DigiNotar certificates can be disrupted.
• The Dutch government has taken over operational management from DigiNotar

The fact sheet also has links to a list of the Common Names (domain names) for which fraudulent certificates were issued.  There is also a downloadable, more comprehensive version of the fact sheet [PDF].

The Freedom to Tinker blog, hosted by the Center for Information Technology Policy [CITP] at Princeton University, has a post on the DigiNotar incident by Steve Schultze, Associate Director of the CITP.   As he notes, the evidence strongly suggests that DigiNotar was not a satisfactory CA.

It appears that DigiNotar did not deserve to be trusted with the responsibility to to issue certifying SSL certificates, because their systems allowed an outside hacker to break in and issue himself certificates for any web site domain he wished.

One of the things about this incident that is very troubling is that the successful attack was not detected for a month, during which time the attacker issued a large number of bogus certificates; after DigiNotar became aware of the problem, it waited almost two more months before disclosing the incident publicly.  Arguably, the disclosure was only made when DigiNotar was forced to do so.

Indeed, DigiNotar seems to have intended never to disclose the problem, and was only forced to do so after a perceptive Iranian Google user noticed that their connections were being hijacked.

Perhaps the most disturbing aspect of this incident is that it makes clear, once again, that the current security model used to support SSL./TLS security on the Web has fundamental flaws, which fall, as Schultze points out,  into four broad areas.  [The italicized category descriptions are his; the summary explanations are mine.]

• Too many entities have Certificate Authority powers. There are, literally, thousands of entities in the world that can issue certificates.  Some of these are “top-level” authorities, like DigiNotar, but others have authority delegated to them by a top-level CA.  As far as I know, there is no comprehensive list of certificate issuers.
• The current system does not limit damage.  Under the existing system, a CA or its delegates can issue certificates for any domain. Thus DigiNotar can issue certificates for Google, or for the CIA.
• Governments are a threat.  Many government agencies are implicitly trusted to issue certificates.  It is not clear that the governments of all countries deserve this level of trust.
• We need to step up efforts on a fix.  I think it is extremely unlikely that DigiNotar is the only CA that is currently compromised.  We just don’t know about the others yet.

Finally, a new diary entry at the SANS Internet Storm Center reports that a Belgian CA, GlobalSign, has temporarily stopped issuing certificates in order to investigate a potential security breach.  The action was prompted by an anonymous post on an Internet forum; the poster claimed to be responsible for the DigiNotar attack, and to have also gained access to GlobalSign.  The company’s press release says:

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete.

As the SANS diary says, there is no evidence at this point, other than the forum post, that GlobalSign has actually been compromised.

Dutch Certificate Authority Hacked

Over the last week or so, we have learned about a successful attack against a Dutch Certificate Authority [CA], DigiNotar, a subsidiary of Vasco Data Security, which allowed the creation of a large number of bogus server certificates; these certificates are a key part of the SSL/TLS secure browsing mechanism.  (Your browser will indicate a secure session by highlighting the domain name in the URL bar, or with a little padlock icon.)   The CA acts as a trusted third party (somewhat analogous to a notary public in a paper-based transaction); it issues certificates which are supposed to provide assurance that the server is owned by a particular owner, like Facebook, and that a particular public cryptographic key belongs to the server..   The intent is that the user knows not only that (s)he is using an encrypted connection to the server, but also that the connection is to the correct server, and not an impostor.

Someone with a forged certificate for a site (say, Facebook) can mount a “man in the middle” attack.  His malicious server can masquerade as Facebook, using the bogus certificate to establish his identity.  He can then, in a simple case, just pass through traffic to and from the real Facebook server, eavesdropping all the while.  Nastier attacks are possible, too.

I’ll try to summarize here what happened without getting into too much technical detail; I’ll also provide some links to more detail for those who  want or need it.

Someone managed to penetrate the security of DigiNotar’s CA system.  Beginning on July 10, 2011, the attacker used that access to create a large number of forged server certificates.  The exact number of bogus certificates created is still not entirely certain, but several hundred have been specifically identified.  They were issued in the name of several CAs:

• DigiNotar Cyber CA
• DigiNotar Extended Validation CA
• DigiNotar Public CA – G2
• DigiNotar Public CA 2025
• Koninklijke Notariele Beroepsorganisatie CA
• Stichting TTP Infos CA

Beginning in mid-July, some of the rogue certificates were discovered and revoked as part of an audit process; however, some certificates were missed, including one for *.google.com.   On August 28, a user in Iran posted a note to a Google mail help forum, saying that he had gotten a warning about the server certificate when he tried to log in to his GMail account.  (There is some suspicion that the Iranian government is involved in this attack, with the goal of monitoring its citizens’ E-mail.)   DigiNotar revoked the bogus Google certificate within a day or so, but they did not provide much information about the problem.  Consequently, the major browser vendors, Google, Mozilla, and Microsoft, issued software updates that effectively blacklisted certificates from DigiNotar.   (See below for software update information.)  The parent company, Vasco, issued a press release on August 30, which was full of reassuring language but short on details.  The Dutch government, which had entrusted DigiNotar with management of some special ‘PKIOverheid’ certificates issued by the government (“Staat der Nederlanden”) , announced on September 3 that it was withdrawing its business from DigiNotar, and would seek another provider.   The SANS Internet Storm Center has a diary post with a more detailed timetable and links to other information.  It was written by Swa Frantzen, who is a native Dutch speaker.)

A list of the bogus certificates, allegedly from a Dutch government source, was published in a blog post at the TOR project.  The domains for which forged certificates were created includes some household names in addition to Google: Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, and WordPress, to name a few.  There were three especially interesting domains on the list:

• http://www.mossad.gov.il
• http://www.sis.gov.uk
• http://www.cia.gov

These are, respectively, the Israeli intelligence service, Mossad; the UK Secret Intelligence Service (MI-6); and the US Central Intelligence Agency.  This does not mean that any important information was compromised; these certificates were only for the specific (www.) domains listed; however, that they were not noticed until a few days after the original Google-related flap suggests that the list of issued certificates is not subject to any very careful scrutiny. This impression is reinforced by a discovery made by the security firm F-Secure; they reported in a blog post that they had found defacements of the DigiNotar Web site dating back to 2009.

Today, the SANS folks posted another diary entry, giving an update on this ongoing saga.

Today the Dutch government released a letter signed by the minister of internal affairs and the minister of security and justice addressed to their house of representatives. The letter has as attachment an interim report by security company Fox-IT’s CEO who has been heading an audit at DigiNotar.

The letter mentioned is in Dutch, but the interim report is in English, and can be downloaded here [PDF].  The SANS diary article contains a summary of some key points.

If you are a typical user, this probably will not affect you much, if at all, though you should, as always, be sure to install security updates in a timely manner.  (If you happen to use a site that got its certificate from DigiNotar, you may have problems with that site.)   If you are a customer of DigiNotar, you should probably be looking for a new provider; you very likely are already having some problems with  your site, because of the browser blacklisting.  If you are a user in Iran, and you don’t want your government to read your mail, you may have a Big Problem.

This is not the first time that a CA has been compromised, and it won’t be the last.  Many of us have suspected for some time that the vetting processes and security practices of at least some CAs leave a good deal to be desired.

Software Updates

As I noted above, the major browser vendors have issued updates that effectively blacklist DigiNotar certificates.  The latest updated versions are:

• Google Chrome: Version 13.0.782.220 (announcement)
• Mozilla Firefox: Version 6.0.2 (security blog post)  Download new version here.  Release Notes.
• Mozilla Thunderbird E-mail client: Version 6.0.2 Download.  Release Notes.
• Microsoft Security Advisory.(2607712).   Download patches here.

Although most people will not be impacted directly, it is a good idea to get these updates installed without undue delay.  And if your browser gives you a security warning, pay attention!