Feeds

World ostracizes firm that issued bogus Google credential

DigiNotar says it was breached ... but little else

High performance access to file storage

A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.

Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.

Vasco said in its statement that on July 19 it detected a breach of DigiNotar's certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn't specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn't respond to emails seeking those details. An update to Google's Chrome browser suggests the breach may involve as many as 247 bogus certificates.

“The attack was targeted solely at DigiNotar's certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.

An earlier audit following the breach unearthed the issuance of counterfeit certificates used by banking, email, and other sensitive services to cryptographically prove their sites are authentic rather than forgeries. DigiNotar believed that all fraudulent certificates had been revoked, but Monday's discovery of a valid certificate authenticating Gmail, Google Docs, and other sensitive services was dramatic proof to the contrary.

According to an post on a Google support forum, the wildcard certificate for *.google.com was presented to users of ParsOnline and other Iranian ISPs when they accessed Gmail. A Google spokesman said company researchers have verified the claims.

"We have confirmed an attempted man-in-the-middle attack on users, particularly in Iran, using a fraudulent SSL certificate issued by DigiNotar," the spokesman wrote in an email. He declined to say what additional evidence the researchers relied on. It's difficult to know how many Google users were affected, he added.

In a post published on Monday, Google repeated the claim Iranians were targeted by the forgery and warned them to take precautions.

“To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings,” Heather Adkins, Google's information security manager, wrote in the post.

Microsoft, Google, and Mozilla also prepared updates that prevented their software from trusting certificates signed by DigiNotar. Microsoft's changes take immediate effect for users of Vista and later operating systems. Users of Windows XP will have to wait for a software update. Fixes from Google and Mozilla involve fixes to the Chrome and Firefox browsers and the Thunderbird and SeaMonkey email programs.

Apple has yet to warn its users of the risk or say how it plans to respond. Its Safari accounts for about 5 percent of the worldwide browser market.

Bogus cert flagged by Google-baked protection

Google's Adkins said that a protection recently added to the Chrome browser helped end users detect the fraudulent certificate even though it was signed by a trusted authority. The Google-created feature is known as pinning, and offers an additional layer of security by checking a cryptographic hash of an SSL certificate's public key. It works only when Chrome users are visiting Google websites, although the browser may consider adding “large, high security” sites, according to this post, which offers additional technical details.

Tuesday's statement from Vasco is troubling because of the crucial information it omits. If an earlier audit failed to spot the wildcard Google certificate, what other forgeries that should stick out like a sore thumb have gone unnoticed? And if the intrusion of DigiNotar's systems was detected on July 19, why didn't the company issue warnings earlier so software companies could blacklist them from their products?

A spokesman for DigiNotar told The Register that it would “be difficult” for him to respond to questions about the security breach and the resulting effects it has on end users. This only seems to reinforce the notion that CAs see themselves as too big to fail and aren't accountable to end users. So for now, users would be well-served by removing DigiNotar's root-signing key from all applications they use to access the internet.

Mozilla has provided instructions here for purging the key from Firefox, and the process is almost identical for Thunderbird. Those using Opera, Safari and other programs not mentioned in this article are invited to leave directions for disabling DigiNotar in the comments section below. ®

This article was updated to add comment from Google.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.