Feeds

World ostracizes firm that issued bogus Google credential

DigiNotar says it was breached ... but little else

5 things you didn’t know about cloud backup

A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.

Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.

Vasco said in its statement that on July 19 it detected a breach of DigiNotar's certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn't specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn't respond to emails seeking those details. An update to Google's Chrome browser suggests the breach may involve as many as 247 bogus certificates.

“The attack was targeted solely at DigiNotar's certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.

An earlier audit following the breach unearthed the issuance of counterfeit certificates used by banking, email, and other sensitive services to cryptographically prove their sites are authentic rather than forgeries. DigiNotar believed that all fraudulent certificates had been revoked, but Monday's discovery of a valid certificate authenticating Gmail, Google Docs, and other sensitive services was dramatic proof to the contrary.

According to an post on a Google support forum, the wildcard certificate for *.google.com was presented to users of ParsOnline and other Iranian ISPs when they accessed Gmail. A Google spokesman said company researchers have verified the claims.

"We have confirmed an attempted man-in-the-middle attack on users, particularly in Iran, using a fraudulent SSL certificate issued by DigiNotar," the spokesman wrote in an email. He declined to say what additional evidence the researchers relied on. It's difficult to know how many Google users were affected, he added.

In a post published on Monday, Google repeated the claim Iranians were targeted by the forgery and warned them to take precautions.

“To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings,” Heather Adkins, Google's information security manager, wrote in the post.

Microsoft, Google, and Mozilla also prepared updates that prevented their software from trusting certificates signed by DigiNotar. Microsoft's changes take immediate effect for users of Vista and later operating systems. Users of Windows XP will have to wait for a software update. Fixes from Google and Mozilla involve fixes to the Chrome and Firefox browsers and the Thunderbird and SeaMonkey email programs.

Apple has yet to warn its users of the risk or say how it plans to respond. Its Safari accounts for about 5 percent of the worldwide browser market.

Bogus cert flagged by Google-baked protection

Google's Adkins said that a protection recently added to the Chrome browser helped end users detect the fraudulent certificate even though it was signed by a trusted authority. The Google-created feature is known as pinning, and offers an additional layer of security by checking a cryptographic hash of an SSL certificate's public key. It works only when Chrome users are visiting Google websites, although the browser may consider adding “large, high security” sites, according to this post, which offers additional technical details.

Tuesday's statement from Vasco is troubling because of the crucial information it omits. If an earlier audit failed to spot the wildcard Google certificate, what other forgeries that should stick out like a sore thumb have gone unnoticed? And if the intrusion of DigiNotar's systems was detected on July 19, why didn't the company issue warnings earlier so software companies could blacklist them from their products?

A spokesman for DigiNotar told The Register that it would “be difficult” for him to respond to questions about the security breach and the resulting effects it has on end users. This only seems to reinforce the notion that CAs see themselves as too big to fail and aren't accountable to end users. So for now, users would be well-served by removing DigiNotar's root-signing key from all applications they use to access the internet.

Mozilla has provided instructions here for purging the key from Firefox, and the process is almost identical for Thunderbird. Those using Opera, Safari and other programs not mentioned in this article are invited to leave directions for disabling DigiNotar in the comments section below. ®

This article was updated to add comment from Google.

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?