DigiNotar’s intermediaries issued fraudulent certificates too, says director of Firefox engineering.
The impact of the breach of Dutch Secure Sockets Layer (SSL) certificate authority (CA) DigiNotar has widened as Dutch authorities confirm its own certificate program was compromised in the attack, likely meaning a massive clean up job for its websites.
Mozilla extended its ban on DigiNotar certificates over the weekend to those issued by the company under the Dutch government’s certificate authority program, PKYoverheid.
At the request of the Dutch Government Mozilla had exempted from DigiNotar certificates issued under PKIoverheid from its DigiNotar blacklist because the nation’s computer emergency response team (GovCERT) assured Mozilla this particular system was not compromised.
“The Dutch government has since audited DigiNotar’s performance and rescinded this assessment,” Mozilla’s director of Firefox engineering Jonathan Nightingale said on Friday.
“We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products.”
Nightingale added that the attackers had issued certificates from another DigiNotar intermediary without proper logging.
“It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted,” he said.
He emphasised that the attacks using fraudulent SSL certificates were “not theoretical” and that DigiNotar had confirmed that over 200 certificates were fraudulently issued against 20 different domains.
“We have received multiple reports of these certificates being used in the wild,” he said.
DigiNotar has been widely criticised for failing to disclose the breach until six weeks after it discovered it and for being unclear about the true extent of potential damage.
“The integrity of the SSL system cannot be maintained in secrecy. Incidents like this one demonstrate the need for active, immediate and comprehensive communication between CAs and software vendors to keep our collective users safe online,” said Nightingale.
The discovery that DigiNotar’s processes under the Dutch Government’s scheme were compromised will cause it big headaches, according to Kaspersky Lab antivirus researcher Roel Schouwebberg.
“A lot of Dutch government sites and services are going to be affected by the revocation. Clean up is going to be painful,” he said.
“The Dutch government has used DigiNotar as an intermediary CA in quite a lot of cases.”
Slideshows you may be interested in: