Microsoft has permanently blocked all digital certificates issued by Dutch company DigiNotar after it became clear that the attack on the certificate authority was broader than originally thought.
The update for Windows Vista, Windows 7 and Windows XP sends all five DigiNotar Secure Sockets Layer (SSL) certificates to a block list, Microsoft said in an update tosecurity advisory 2607712 on Sept. 6. The Internet Explorer Web browser uses the list to block users from reaching Websites with potentially fake certificates.
Microsoft had updated Windows last week after initial reports that DigiNotar had been breached earlier in the summer and as a result there were fake SSL certificates circulating in the wild that affected all Google Websites. In that update, Microsoft had blocked only two of the five root certificates and displayed a warning about sites being potentially dangerous because of a suspect certificate. Now with this update, if the certificate’s signer is listed in the Untrusted Certificate Store, IE unilaterally blocks the site.
“Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar,” Chester Wisniewski, senior security adviser at Sophos, wrote on theNaked Security blog.
Websites and browsers rely on SSL certificates to confirm that the page the visitor is seeing is legitimate. Fake certificates can be used in man-in-the-middle attacks where the visitor is redirected to a different site, James Lyne, director of technology strategy at Sophos, told eWEEK. If the browser recognizes the company that signed the certificate, it doesn’t block the page because it can’t tell if the certificate is not legitimate.
DigiNotar, a Dutch certificate authority, noticed that its servers were compromised in mid-July. Even though the company initially claimed that only “dozens” of fake certificates had been issued and most of them had been revoked, it was later reported that the company did not know the extent of the problem and that it could be as many as 263 certificates. It was clear by this point that DigiNotar performed “no logging” to track certificates being created, Roel Schouwenberg, senior researcher at Kaspersky Lab, told eWEEK.
According to a preliminary audit report from Fox-IT, a digital forensics firm brought in to investigate the DigiNotar breach, the attackers had acquired 531 certificates in all, including the ones used by the Dutch government, the CIA, MI6, Mossad, Microsoft, Skype, Mozilla, Facebook, AOL, WordPress and Twitter. A complete list is available on the Tor Project’s Website. The report also revealed that DigiNotar had been unaware of the intrusion for approximately a month, as the initial compromised had occurred in June.
“It’s game over for DigiNotar. Very soon they will officially no longer be a valid entity to issue certificates,” Andrew Storms, director of security operations for nCircle, told eWEEK.
Apple Needs to Respond to Danger
Schouwenberg was concerned how “deep this attack may have run.” On Sept. 6, a user claiming to be behind the earlier attack on New Jersey-based certificate authority Comodo posted a note on text-sharing site Pastebin claiming responsibility for the DigiNotar breach as well as four other high-profile CAs, including GlobalSign. The alleged attacker claimed to still have the ability to issue rogue certificates from the other CAs.
Google and Mozilla have already updated their browsers to block all DigiNotar certificates. Google shipped a new version of Chrome on Sept. 3, and Mozilla updated both Firefox 6 and Firefox 3.6 on Sept. 6. Mozilla’s Director of Firefox Engineering Johnathan Nightingale said the removal was “not a temporary suspension,” but a “complete” one.
“Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort,” wrote Nightingale in a blog post on Sept. 2.
As is characteristic of Apple whenever there is a security issue, the company has yet to warn its users or act. “I know you [Apple] don’t like to talk about security, but now would be a great time to show you care” and protect users, Wisniewski said to Apple.
Since Microsoft has issued the update to all supported versions of Windows, including Windows XP and Windows 2003, all Windows users “will no longer be presented with the dangerous option” of mistakenly overriding the suspicious SSL certificate warning, Wisniewski told eWEEK over email. He recommended that Mac OS X users use BootCamp and Windows 7 to browse the Web or use Firefox. Chrome uses the KeyChain to validate certificates on Mac OS X, making it vulnerable to the same issue as Safari, Wisniewski said.
The update will be automatically downloaded and installed on machines that have Automatic Update enabled, Microsoft said in the security advisory. However, the company is checking the PC’s geographic location before downloading the update to delay pushing the changes to its Dutch customers. Once the certificates are blocked, users will be unable to access a lot of the Websites that have legitimate SSL certificates signed by DigiNotar, such as various Dutch government and business Websites. The one-week delay would give the Dutch government time to obtain new certificates from some other “more trustworthy” certificate authority, Wisniewski said.
“At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a blog post today. Dutch user can still manually update by going to the country-specific Windows Update site, Forstrom said.