Digital certificate authority suspends ops following breach
Hackers access database, gain control over website
Websites belonging to a Netherlands-based issuer of digital certificates were unavailable following reports hackers penetrated their security and accessed databases that should have been off limits.
Dutch telecommunications giant KPN issued a statement (translation here) that said it temporarily shut the website of it's Gemnet subsidiary while it investigated the hack. A second website belonging to a KPN subsidiary that issues digital certificates to the Dutch government was also taken down.
The breach, which was first reported by Webwereld journalist Brenno de Winter, is the latest to compromise one of the several hundred online businesses authorized to mint digital certificates millions of websites and government and corporate networks rely on to shield communications from eavesdroppers. In August, another Netherlands-based certificate authority also suspended operations after it issued a fraudulent secure sockets layer certificate for Google.
DigiNotar eventually went bankrupt after an investigation revealed that shoddy security led to the issuance of dozens of counterfeit credentials, including one for Google Mail that was used to target more than 300,000 people accessing their Gmail accounts.
A half-dozen or so other authorities are also known to have suffered security breaches in the past year or so. One of them happened last month to KPN Corporate Market, which is owned by the same Netherlands-based firm that operates Gemnet.
According to de Winter's report on Webwereld, a hacker broke into a Gemnet database after exploiting poor password policies set up on its PHPMyAdmin server. As a result, attackers were not only able to access all documents stored on the machine, but also to take control of it. The article said the hacker came forward to prevent the kind of debacle DigiNotar created, but "he has also found evidence that he is not the first person who have gained access to the systems."
In its statement, KPN said there was no connection between the possible website breach and the issuance of digital certificates. It appears that the only contents available in the database was the information visible to website visitors, the company said. It said it decided to temporarily close the website out of an abundance of caution.
Representatives of Microsoft, Mozilla, and Google, makers of the world's three most widely used browsers, said security personnel are investigating the reports to learn if end users are at risk. This article will be updated if they respond with their findings.
The breach is being investigated by the Dutch government, IT World reported. Both Gemnet and Gemnet CSP provide digital certificates to the Dutch government, the publication said. ®
Did you bother to read the article, or did you just respond based on the headline? So far, there isn't any evidence of sloppiness with certificates. A publicly accessible web server was hacked, and, as a precaution, they've taken all of their websites offline.
If you punish companies for being open about the fact that they're investigating to see if there really has been a breach, then you'll be encouraging them to act like Diginotar, and keep things under wraps as long as possible!
Small companies should roll their own...
I represent a small company and one of the stuff I do for customers is hosting. All my servers use the Webmin control panel which I've become extremely fond of:
Opensource, free of use, supports quite a share of environments and its very versatile. The best part is that it can grok manual set configuration schemes (to a certain extend) and fully support those. Wonderful stuff.
Naturally, because this is private traffic, all of my servers utilize encrypted connections (for webmin (control panel), usermin (webmail) as well as horde (idem)). I also like to sign some of my Word documents (not so much for privacy concerns but more to prevent (accidental) changes) as well as some VBA macro's (same reason).
Not only would such an environment be very costly (especially for a low/mid ranged firm) but one can also wonder what the added value is to get an 'official' certificate when all you're after is encryption.
SO my company simply uses a self-signed company certificate (long live openssl!) which is used to sign several of the certificates I mention above. New customers get a welcome letter as well as a copy of said root certificate with the request to install this on their main computer.
Naturally also explaining why we're doing this and carefully explaining that this isn't a requirement but it will make accessing our services a little more pleasant. Most of my customers are fully understanding and think its a very good setup. After all; all they need to do in Windows is click on the certificate and follow the things Windows is telling them.
And because the machine which issues said certificate isn't connected to the Internet in any way the chances of it getting overrun are slim. Heck; there isn't even much reason to try and overrun it because the only people using said certificate are our customers and support staff. Not a large crowd so to say...
Cheaper, (IMO:) more secure, easier for the customers and most of all: you achieve the same results which are very likely more reliable as well.
DANE/DNSSEC better, but far from perfect
DANE relies upon DNSSEC to carry signatures to authenticate entities identifiable through a domain name. Security will still depend on the integrity of purpose and procedures of domain registries and TLDs, which will effectively become the new breed of CA. A corrupt or insecure registrar capable of issuing .com names will still be able to compromise any .com site, but under DNSSEC they won't be able to compromise domain names not ending in .com . That makes it better than the current CA system, but still has major issues, e.g. someone who doesn't spot that they are connecting to microsfot.com instead of microsoft.com will still be vulnerable, assuming the typosquatter is allowed to register such a name.