Feeds

World ostracizes firm that issued bogus Google credential

DigiNotar says it was breached ... but little else

The Power of One eBook: Top reasons to choose HP BladeSystem

A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.

Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.

Vasco said in its statement that on July 19 it detected a breach of DigiNotar's certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn't specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn't respond to emails seeking those details. An update to Google's Chrome browser suggests the breach may involve as many as 247 bogus certificates.

“The attack was targeted solely at DigiNotar's certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.

An earlier audit following the breach unearthed the issuance of counterfeit certificates used by banking, email, and other sensitive services to cryptographically prove their sites are authentic rather than forgeries. DigiNotar believed that all fraudulent certificates had been revoked, but Monday's discovery of a valid certificate authenticating Gmail, Google Docs, and other sensitive services was dramatic proof to the contrary.

According to an post on a Google support forum, the wildcard certificate for *.google.com was presented to users of ParsOnline and other Iranian ISPs when they accessed Gmail. A Google spokesman said company researchers have verified the claims.

"We have confirmed an attempted man-in-the-middle attack on users, particularly in Iran, using a fraudulent SSL certificate issued by DigiNotar," the spokesman wrote in an email. He declined to say what additional evidence the researchers relied on. It's difficult to know how many Google users were affected, he added.

In a post published on Monday, Google repeated the claim Iranians were targeted by the forgery and warned them to take precautions.

“To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings,” Heather Adkins, Google's information security manager, wrote in the post.

Microsoft, Google, and Mozilla also prepared updates that prevented their software from trusting certificates signed by DigiNotar. Microsoft's changes take immediate effect for users of Vista and later operating systems. Users of Windows XP will have to wait for a software update. Fixes from Google and Mozilla involve fixes to the Chrome and Firefox browsers and the Thunderbird and SeaMonkey email programs.

Apple has yet to warn its users of the risk or say how it plans to respond. Its Safari accounts for about 5 percent of the worldwide browser market.

Bogus cert flagged by Google-baked protection

Google's Adkins said that a protection recently added to the Chrome browser helped end users detect the fraudulent certificate even though it was signed by a trusted authority. The Google-created feature is known as pinning, and offers an additional layer of security by checking a cryptographic hash of an SSL certificate's public key. It works only when Chrome users are visiting Google websites, although the browser may consider adding “large, high security” sites, according to this post, which offers additional technical details.

Tuesday's statement from Vasco is troubling because of the crucial information it omits. If an earlier audit failed to spot the wildcard Google certificate, what other forgeries that should stick out like a sore thumb have gone unnoticed? And if the intrusion of DigiNotar's systems was detected on July 19, why didn't the company issue warnings earlier so software companies could blacklist them from their products?

A spokesman for DigiNotar told The Register that it would “be difficult” for him to respond to questions about the security breach and the resulting effects it has on end users. This only seems to reinforce the notion that CAs see themselves as too big to fail and aren't accountable to end users. So for now, users would be well-served by removing DigiNotar's root-signing key from all applications they use to access the internet.

Mozilla has provided instructions here for purging the key from Firefox, and the process is almost identical for Thunderbird. Those using Opera, Safari and other programs not mentioned in this article are invited to leave directions for disabling DigiNotar in the comments section below. ®

This article was updated to add comment from Google.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.