It's "game over" for certificate authority DigiNotar as Microsoft permanently blocks all certificates signed by the company. Google and Mozilla have also followed suit and blocked the root.
has permanently blocked all digital certificates issued by Dutch company
DigiNotar after it became clear that the attack on the certificate authority
was broader than originally thought.
update for Windows Vista, Windows 7 and Windows XP sends all five DigiNotar Secure
Sockets Layer (SSL) certificates to a block list, Microsoft said in an update
security advisory 2607712
on Sept. 6. The Internet Explorer Web browser
uses the list to block users from reaching Websites with potentially fake
had updated Windows last week after initial reports that DigiNotar had been
breached earlier in the summer and as a result there were fake SSL certificates
circulating in the wild that affected all Google Websites. In that update,
Microsoft had blocked only two of the five root certificates and displayed a
warning about sites being potentially dangerous because of a suspect
certificate. Now with this update, if the certificate's signer is listed in the
Untrusted Certificate Store, IE unilaterally blocks the site.
are no longer presented with a certificate warning, they are prevented from
accessing sites with SSL certificates issued by DigiNotar," Chester
Wisniewski, senior security adviser at Sophos, wrote on the
Naked Security blog
and browsers rely on SSL certificates to confirm that the page the visitor is
seeing is legitimate. Fake certificates can be used in man-in-the-middle
attacks where the visitor is redirected to a different site, James Lyne,
director of technology strategy at Sophos, told eWEEK. If the browser
recognizes the company that signed the certificate, it doesn't block the page
because it can't tell if the certificate is not legitimate.
a Dutch certificate authority, noticed that its servers were compromised in
mid-July. Even though the company initially claimed that only
"dozens" of fake certificates had been issued and most of them had
been revoked, it was later reported that the company did not know the extent of
the problem and that it could be as many as 263 certificates. It was clear by
this point that DigiNotar performed "no logging" to track
certificates being created, Roel Schouwenberg, senior researcher at Kaspersky
Lab, told eWEEK.
to a preliminary audit report from Fox-IT, a digital forensics firm brought in to
investigate the DigiNotar breach, the attackers had acquired 531 certificates
in all, including the ones used by the Dutch government, the CIA, MI6, Mossad,
Microsoft, Skype, Mozilla, Facebook, AOL, WordPress and Twitter. A complete
list is available
on the Tor Project's Website. The report also revealed
that DigiNotar had been unaware of the intrusion for approximately a month, as
the initial compromised had occurred in June.
game over for DigiNotar. Very soon they will officially no longer be a valid
entity to issue certificates," Andrew Storms, director of security
operations for nCircle, told eWEEK.