Feeds

World ostracizes firm that issued bogus Google credential

DigiNotar says it was breached ... but little else

The Essential Guide to IT Transformation

A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.

Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.

Vasco said in its statement that on July 19 it detected a breach of DigiNotar's certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn't specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn't respond to emails seeking those details. An update to Google's Chrome browser suggests the breach may involve as many as 247 bogus certificates.

“The attack was targeted solely at DigiNotar's certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.

An earlier audit following the breach unearthed the issuance of counterfeit certificates used by banking, email, and other sensitive services to cryptographically prove their sites are authentic rather than forgeries. DigiNotar believed that all fraudulent certificates had been revoked, but Monday's discovery of a valid certificate authenticating Gmail, Google Docs, and other sensitive services was dramatic proof to the contrary.

According to an post on a Google support forum, the wildcard certificate for *.google.com was presented to users of ParsOnline and other Iranian ISPs when they accessed Gmail. A Google spokesman said company researchers have verified the claims.

"We have confirmed an attempted man-in-the-middle attack on users, particularly in Iran, using a fraudulent SSL certificate issued by DigiNotar," the spokesman wrote in an email. He declined to say what additional evidence the researchers relied on. It's difficult to know how many Google users were affected, he added.

In a post published on Monday, Google repeated the claim Iranians were targeted by the forgery and warned them to take precautions.

“To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings,” Heather Adkins, Google's information security manager, wrote in the post.

Microsoft, Google, and Mozilla also prepared updates that prevented their software from trusting certificates signed by DigiNotar. Microsoft's changes take immediate effect for users of Vista and later operating systems. Users of Windows XP will have to wait for a software update. Fixes from Google and Mozilla involve fixes to the Chrome and Firefox browsers and the Thunderbird and SeaMonkey email programs.

Apple has yet to warn its users of the risk or say how it plans to respond. Its Safari accounts for about 5 percent of the worldwide browser market.

Bogus cert flagged by Google-baked protection

Google's Adkins said that a protection recently added to the Chrome browser helped end users detect the fraudulent certificate even though it was signed by a trusted authority. The Google-created feature is known as pinning, and offers an additional layer of security by checking a cryptographic hash of an SSL certificate's public key. It works only when Chrome users are visiting Google websites, although the browser may consider adding “large, high security” sites, according to this post, which offers additional technical details.

Tuesday's statement from Vasco is troubling because of the crucial information it omits. If an earlier audit failed to spot the wildcard Google certificate, what other forgeries that should stick out like a sore thumb have gone unnoticed? And if the intrusion of DigiNotar's systems was detected on July 19, why didn't the company issue warnings earlier so software companies could blacklist them from their products?

A spokesman for DigiNotar told The Register that it would “be difficult” for him to respond to questions about the security breach and the resulting effects it has on end users. This only seems to reinforce the notion that CAs see themselves as too big to fail and aren't accountable to end users. So for now, users would be well-served by removing DigiNotar's root-signing key from all applications they use to access the internet.

Mozilla has provided instructions here for purging the key from Firefox, and the process is almost identical for Thunderbird. Those using Opera, Safari and other programs not mentioned in this article are invited to leave directions for disabling DigiNotar in the comments section below. ®

This article was updated to add comment from Google.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.