Microsoft Permanently Revokes All Dutch CA's SSL Certificates

It's "game over" for certificate authority DigiNotar as Microsoft permanently blocks all certificates signed by the company. Google and Mozilla have also followed suit and blocked the root.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Microsoft has permanently blocked all digital certificates issued by Dutch company DigiNotar after it became clear that the attack on the certificate authority was broader than originally thought.

The update for Windows Vista, Windows 7 and Windows XP sends all five DigiNotar Secure Sockets Layer (SSL) certificates to a block list, Microsoft said in an update tosecurity advisory 2607712 on Sept. 6. The Internet Explorer Web browser uses the list to block users from reaching Websites with potentially fake certificates.

Microsoft had updated Windows last week after initial reports that DigiNotar had been breached earlier in the summer and as a result there were fake SSL certificates circulating in the wild that affected all Google Websites. In that update, Microsoft had blocked only two of the five root certificates and displayed a warning about sites being potentially dangerous because of a suspect certificate. Now with this update, if the certificate's signer is listed in the Untrusted Certificate Store, IE unilaterally blocks the site.

"Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar," Chester Wisniewski, senior security adviser at Sophos, wrote on theNaked Security blog.

Websites and browsers rely on SSL certificates to confirm that the page the visitor is seeing is legitimate. Fake certificates can be used in man-in-the-middle attacks where the visitor is redirected to a different site, James Lyne, director of technology strategy at Sophos, told eWEEK. If the browser recognizes the company that signed the certificate, it doesn't block the page because it can't tell if the certificate is not legitimate.

DigiNotar, a Dutch certificate authority, noticed that its servers were compromised in mid-July. Even though the company initially claimed that only "dozens" of fake certificates had been issued and most of them had been revoked, it was later reported that the company did not know the extent of the problem and that it could be as many as 263 certificates. It was clear by this point that DigiNotar performed "no logging" to track certificates being created, Roel Schouwenberg, senior researcher at Kaspersky Lab, told eWEEK.

According to a preliminary audit report from Fox-IT, a digital forensics firm brought in to investigate the DigiNotar breach, the attackers had acquired 531 certificates in all, including the ones used by the Dutch government, the CIA, MI6, Mossad, Microsoft, Skype, Mozilla, Facebook, AOL, WordPress and Twitter. A complete list is available on the Tor Project's Website. The report also revealed that DigiNotar had been unaware of the intrusion for approximately a month, as the initial compromised had occurred in June.

"It's game over for DigiNotar. Very soon they will officially no longer be a valid entity to issue certificates," Andrew Storms, director of security operations for nCircle, told eWEEK.