Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Microsoft Permanently Revokes All Dutch CA’s SSL Certificates

    By
    Fahmida Y. Rashid
    -
    September 6, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft has permanently blocked all digital certificates issued by Dutch company DigiNotar after it became clear that the attack on the certificate authority was broader than originally thought.

      The update for Windows Vista, Windows 7 and Windows XP sends all five DigiNotar Secure Sockets Layer (SSL) certificates to a block list, Microsoft said in an update tosecurity advisory 2607712 on Sept. 6. The Internet Explorer Web browser uses the list to block users from reaching Websites with potentially fake certificates.

      Microsoft had updated Windows last week after initial reports that DigiNotar had been breached earlier in the summer and as a result there were fake SSL certificates circulating in the wild that affected all Google Websites. In that update, Microsoft had blocked only two of the five root certificates and displayed a warning about sites being potentially dangerous because of a suspect certificate. Now with this update, if the certificate’s signer is listed in the Untrusted Certificate Store, IE unilaterally blocks the site.

      “Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar,” Chester Wisniewski, senior security adviser at Sophos, wrote on theNaked Security blog.

      Websites and browsers rely on SSL certificates to confirm that the page the visitor is seeing is legitimate. Fake certificates can be used in man-in-the-middle attacks where the visitor is redirected to a different site, James Lyne, director of technology strategy at Sophos, told eWEEK. If the browser recognizes the company that signed the certificate, it doesn’t block the page because it can’t tell if the certificate is not legitimate.

      DigiNotar, a Dutch certificate authority, noticed that its servers were compromised in mid-July. Even though the company initially claimed that only “dozens” of fake certificates had been issued and most of them had been revoked, it was later reported that the company did not know the extent of the problem and that it could be as many as 263 certificates. It was clear by this point that DigiNotar performed “no logging” to track certificates being created, Roel Schouwenberg, senior researcher at Kaspersky Lab, told eWEEK.

      According to a preliminary audit report from Fox-IT, a digital forensics firm brought in to investigate the DigiNotar breach, the attackers had acquired 531 certificates in all, including the ones used by the Dutch government, the CIA, MI6, Mossad, Microsoft, Skype, Mozilla, Facebook, AOL, WordPress and Twitter. A complete list is available on the Tor Project’s Website. The report also revealed that DigiNotar had been unaware of the intrusion for approximately a month, as the initial compromised had occurred in June.

      “It’s game over for DigiNotar. Very soon they will officially no longer be a valid entity to issue certificates,” Andrew Storms, director of security operations for nCircle, told eWEEK.

      Apple Needs to Respond to Danger

      Schouwenberg was concerned how “deep this attack may have run.” On Sept. 6, a user claiming to be behind the earlier attack on New Jersey-based certificate authority Comodo posted a note on text-sharing site Pastebin claiming responsibility for the DigiNotar breach as well as four other high-profile CAs, including GlobalSign. The alleged attacker claimed to still have the ability to issue rogue certificates from the other CAs.

      Google and Mozilla have already updated their browsers to block all DigiNotar certificates. Google shipped a new version of Chrome on Sept. 3, and Mozilla updated both Firefox 6 and Firefox 3.6 on Sept. 6. Mozilla’s Director of Firefox Engineering Johnathan Nightingale said the removal was “not a temporary suspension,” but a “complete” one.

      “Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort,” wrote Nightingale in a blog post on Sept. 2.

      As is characteristic of Apple whenever there is a security issue, the company has yet to warn its users or act. “I know you [Apple] don’t like to talk about security, but now would be a great time to show you care” and protect users, Wisniewski said to Apple.

      Since Microsoft has issued the update to all supported versions of Windows, including Windows XP and Windows 2003, all Windows users “will no longer be presented with the dangerous option” of mistakenly overriding the suspicious SSL certificate warning, Wisniewski told eWEEK over email. He recommended that Mac OS X users use BootCamp and Windows 7 to browse the Web or use Firefox. Chrome uses the KeyChain to validate certificates on Mac OS X, making it vulnerable to the same issue as Safari, Wisniewski said.

      The update will be automatically downloaded and installed on machines that have Automatic Update enabled, Microsoft said in the security advisory. However, the company is checking the PC’s geographic location before downloading the update to delay pushing the changes to its Dutch customers. Once the certificates are blocked, users will be unable to access a lot of the Websites that have legitimate SSL certificates signed by DigiNotar, such as various Dutch government and business Websites. The one-week delay would give the Dutch government time to obtain new certificates from some other “more trustworthy” certificate authority, Wisniewski said.

      “At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a blog post today. Dutch user can still manually update by going to the country-specific Windows Update site, Forstrom said.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×