Over the last week or so, we have learned about a successful attack against a Dutch Certificate Authority [CA], DigiNotar, a subsidiary of Vasco Data Security, which allowed the creation of a large number of bogus server certificates; these certificates are a key part of the SSL/TLS secure browsing mechanism. (Your browser will indicate a secure session by highlighting the domain name in the URL bar, or with a little padlock icon.) The CA acts as a trusted third party (somewhat analogous to a notary public in a paper-based transaction); it issues certificates which are supposed to provide assurance that the server is owned by a particular owner, like Facebook, and that a particular public cryptographic key belongs to the server.. The intent is that the user knows not only that (s)he is using an encrypted connection to the server, but also that the connection is to the correct server, and not an impostor.
Someone with a forged certificate for a site (say, Facebook) can mount a “man in the middle” attack. His malicious server can masquerade as Facebook, using the bogus certificate to establish his identity. He can then, in a simple case, just pass through traffic to and from the real Facebook server, eavesdropping all the while. Nastier attacks are possible, too.
I’ll try to summarize here what happened without getting into too much technical detail; I’ll also provide some links to more detail for those who want or need it.
Someone managed to penetrate the security of DigiNotar’s CA system. Beginning on July 10, 2011, the attacker used that access to create a large number of forged server certificates. The exact number of bogus certificates created is still not entirely certain, but several hundred have been specifically identified. They were issued in the name of several CAs:
- DigiNotar Cyber CA
- DigiNotar Extended Validation CA
- DigiNotar Public CA – G2
- DigiNotar Public CA 2025
- Koninklijke Notariele Beroepsorganisatie CA
- Stichting TTP Infos CA
Beginning in mid-July, some of the rogue certificates were discovered and revoked as part of an audit process; however, some certificates were missed, including one for
*.google.com. On August 28, a user in Iran posted a note to a Google mail help forum, saying that he had gotten a warning about the server certificate when he tried to log in to his GMail account. (There is some suspicion that the Iranian government is involved in this attack, with the goal of monitoring its citizens’ E-mail.) DigiNotar revoked the bogus Google certificate within a day or so, but they did not provide much information about the problem. Consequently, the major browser vendors, Google, Mozilla, and Microsoft, issued software updates that effectively blacklisted certificates from DigiNotar. (See below for software update information.) The parent company, Vasco, issued a press release on August 30, which was full of reassuring language but short on details. The Dutch government, which had entrusted DigiNotar with management of some special ‘PKIOverheid’ certificates issued by the government (“Staat der Nederlanden”) , announced on September 3 that it was withdrawing its business from DigiNotar, and would seek another provider. The SANS Internet Storm Center has a diary post with a more detailed timetable and links to other information. It was written by Swa Frantzen, who is a native Dutch speaker.)
A list of the bogus certificates, allegedly from a Dutch government source, was published in a blog post at the TOR project. The domains for which forged certificates were created includes some household names in addition to Google: Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, and WordPress, to name a few. There were three especially interesting domains on the list:
These are, respectively, the Israeli intelligence service, Mossad; the UK Secret Intelligence Service (MI-6); and the US Central Intelligence Agency. This does not mean that any important information was compromised; these certificates were only for the specific (www.) domains listed; however, that they were not noticed until a few days after the original Google-related flap suggests that the list of issued certificates is not subject to any very careful scrutiny. This impression is reinforced by a discovery made by the security firm F-Secure; they reported in a blog post that they had found defacements of the DigiNotar Web site dating back to 2009.
Today, the SANS folks posted another diary entry, giving an update on this ongoing saga.
Today the Dutch government released a letter signed by the minister of internal affairs and the minister of security and justice addressed to their house of representatives. The letter has as attachment an interim report by security company Fox-IT’s CEO who has been heading an audit at DigiNotar.
The letter mentioned is in Dutch, but the interim report is in English, and can be downloaded here [PDF]. The SANS diary article contains a summary of some key points.
If you are a typical user, this probably will not affect you much, if at all, though you should, as always, be sure to install security updates in a timely manner. (If you happen to use a site that got its certificate from DigiNotar, you may have problems with that site.) If you are a customer of DigiNotar, you should probably be looking for a new provider; you very likely are already having some problems with your site, because of the browser blacklisting. If you are a user in Iran, and you don’t want your government to read your mail, you may have a Big Problem.
This is not the first time that a CA has been compromised, and it won’t be the last. Many of us have suspected for some time that the vetting processes and security practices of at least some CAs leave a good deal to be desired.
As I noted above, the major browser vendors have issued updates that effectively blacklist DigiNotar certificates. The latest updated versions are:
- Google Chrome: Version 13.0.782.220 (announcement)
- Mozilla Firefox: Version 6.0.2 (security blog post) Download new version here. Release Notes.
- Mozilla Thunderbird E-mail client: Version 6.0.2 Download. Release Notes.
- Microsoft Security Advisory.(2607712). Download patches here.
Although most people will not be impacted directly, it is a good idea to get these updates installed without undue delay. And if your browser gives you a security warning, pay attention!