DigiNotar certificates are pulled, but not on smartphones

Neither Google nor Apple have announced plans to revoke certificates issued by DigiNotar in their smartphone OSes

Browser makers have generally been quick to react to the computer compromise at digital certificate issuer DigiNotar, but that hasn't been the case for all mobile phone makers.

On Tuesday neither Google nor Apple would comment on whether they plan to revoke certificates issued by DigiNotar for Android or the iPhone, even as desktop software makers pulled the plug on the Dutch company's certificates.

Apple hasn't said anything about the DigiNotar situation since it was disclosed last week, but Google was quick to revoke the company's certificates for its Chrome browser last week. Its silence Tuesday spoke to the complexity of its situation as both a victim of the attacks and a provider of the software that can thwart them. The problem is that Google's Android phones are updated via mobile phone carriers, companies that are typically much slower to issue patches than PC software vendors such as Microsoft.

Google needs to work carefully with carriers before they can push out patches, said Marsh Ray, a senior software engineer with online authentication vendor PhoneFactor. "What if the carrier's only payment method is a Web page using a certificate signed by DigiNotar?" he said in an instant message interview. "It would be disaster if Google pushed such an update blindly."

Developers on the unofficial community Android distribution, Cyanogenmod, expressed similar reservations in their discussion forum. Worried about the possible fallout, they were initially reluctant to push out an update that revoked DigiNotar's certificates, but they changed their mind as the seriousness of the situation became clear.

Apple issues its patches directly to iPhone users, but it too must be sure to keep its carrier partners happy.

The lack of patches raises questions for mobile phone users in Iran, who may not be able to tell who they should trust on the Internet. Iranian users were the target of the DigiNotar hack, and as many as 300,000 of them have been directed to fake websites that used the bogus certificates, forensic auditors investigating the incident reported Monday.

The digital break-in seems to have been a data-gathering expedition, designed to steal Gmail messages and other information.

In fact, the hackers who broke into DigiNotar issued hundreds of digital certificates, including one for Google.com, which allowed them to take a first step in tricking Internet users into believing that one of their servers actually belonged to Google. The second step is to take control of the network's Domain Name System (DNS) and direct users to the fake site whenever they type in the Google.com address.

Microsoft's Windows Phone software does not include DigiNotar in its list of trusted certificate authorities and that appears to be the case on at least some BlackBerry phones as well. As was the case with their smart-phone competitors, neither Microsoft nor Research In Motion could answer questions on this topic Tuesday.

Roel Schouwenberg, a security researcher with antivirus vendor Kaspersky Lab is distrurbed by Google's silence, in particular, on the matter, because Google was one of the first companies to patch its Web browser. "The fact that google on the one hand has been very proactive while at the same time keeping radio silence about any update for Android is very worrisome," he said.

He said that the fact that Google must rely on mobile carriers to push out its patches could become a bigger problem as more attacks against phones surface. "Can you imagine if HP or Dell laptops received Windows updates one or two months after they were published for the general public?"

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsGooglesecuritysmartphonesDigiNotar

More about AppleBlackBerryDellDell ComputeretworkGoogleHewlett-Packard AustraliaHPIDGKasperskyKasperskyMarshMicrosoftMotionResearch In Motion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts