

Diginotar confirms security breach - dendory
http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

======
blauwbilgorgel
[http://www.diginotar.nl/Actueel/tabid/264/articleType/Articl...](http://www.diginotar.nl/Actueel/tabid/264/articleType/ArticleView/articleId/327/Default.aspx)

[http://translate.google.com/translate?hl=en&sl=auto&...](http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http://www.diginotar.nl/Actueel/tabid/264/articleType/ArticleView/articleId/327/Default.aspx)

Incompetence doesn't begin to describe this statement. They say: Your browser
might throw some warnings when communicating with government services. In
99.9% of the cases this is a false alarm and you can safely ignore it.

By own accord 1 in a 1000 (of 9 million users) can get MitM'ed and yet you
teach people that it is safe to ignore it... They appear to use the same audit
company from last time.

The Consumentbond already tells people to expect warnings and ignore them, for
they have not been hacked, but merely experience a temporary "browser issue".
Reports of DigiD helpdesk telling people to ignore warnings, lower security
settings or place the site in "trusted sites".

~~~
tripzilch
> The Consumentbond already tells people to expect warnings and ignore them,
> for they have not been hacked, but merely experience a temporary "browser
> issue". Reports of DigiD helpdesk telling people to ignore warnings, lower
> security settings or place the site in "trusted sites".

Isn't that because Mozilla also blocked certs used by the Dutch gov (which
DigiD uses I suppose), which aren't actually compromised?

I read that in a new update they'll unblock the Dutch gov certs though.

Still never a good idea to teach people to ignore warnings, especially not on
a site like DigiD.

------
rdl
"VASCO does not expect that the DigiNotar security incident will have a
significant impact on the company’s future revenue or business plans."

Anything less than termination of the DigiNotar business and paying for a real
third-party equivalent SSL cert of equivalent length for all affected
customers who have ever been issued DigiNotar certs, plus compensation for the
cost of rekeying, should result in action against VASCO (the parent company).
It's obvious they don't take the SSL cert business seriously, and it's a small
part of their revenue, so they need to just exit it.

~~~
tptacek
They're probably right. VASCO's core products and DigiNotar's appear to be
separate BUs (they don't even share IT infrastructure according to the press
release). And even within DigiNotar, the SSL CA appears to be an afterthought;
VASCA says it did less than $100k EU last year.

Yes, this does beg the question of why an organization like DigiNotar was
allowed to be a browser CA root.

~~~
Maxious
To get a better understanding of how DigiNotar operated, have a look at the
Mozilla bug for their CA inclusion:
<https://bugzilla.mozilla.org/show_bug.cgi?id=369357>

~~~
joshu
I read through this, but I didn't understand enough. It seemed like they were
new to this - what did I miss?

~~~
rdl
That it is kind of absurd that the lives of Iranian dissidents depend on this
relationship between browser developers and incompetent bid dumb organizations
asserting trustworthiness and competence, IMO.

Having lots of CAs is commercial pressure, but as log as any can issue for
any, it means security is as vulnerable as the weakest company's weakest
system or staffer.

~~~
tptacek
The lives of Iranian dissidents (a) really don't† and (b) shouldn't depend on
browser CA configurations. In reality if your adversary is a hostile
government, you should be taking steps beyond verifying SSL certificates.

† _but not for reasons that will make you happy_

~~~
rdl
True, the only reason this happened at all is that unlike most state actors,
there are no Iranian CA in the browser roots to directly pressure.

------
mcpherrinm
This is even worse: They noticed the breach, and failed to properly identify
all certificates issued.

I've already removed Diginotar from my Firefox trusted CAs. I don't think
they're going to earn their way back in.

~~~
joelhaasnoot
They think that by the end of the week they'll be trusted by Microsoft, Google
and Mozilla again, they "followed the correct procedures", see
[http://translate.google.com/translate?hl=en&sl=auto&...](http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Ftweakers.net%2Fnieuws%2F76466%2Fhackers-
genereerden-zelf-vervalst-google-certificaat.html)

~~~
fjarlq
Wow, DigiNotar is insane if they really think that.

The fact that they said that makes me trust them even less.

------
levigross
This is an Über Failure if I have ever seen one. They detected the breech on
July 19th but didn't think to check to see if anything was amiss?!? I think
that OS companies and browsers must come down hard on compromised certificate
authorities. A ZERO tolerance policy should be enforced resulting in a
permanent BAN if your private keys are compromised!

------
rorymccune
There's some interesting additional commentary on the F-Secure Blog
(<http://www.f-secure.com/weblog/archives/00002228.html>). Looks like they'd
been breached multiple times.

~~~
waitwhat
From that blog post...

 _What can you do with such a certificate? Well, you can impersonate Google --
assuming you can first reroute Internet traffic for google.com to you. This is
something that can be done by a government or by a rogue ISP. Such a reroute
would only affect users within that country or under that ISP._

This is not entirely true...

 _For a short time on Tuesday, internet traffic sent between Facebook and
subscribers to AT &T's internet service passed through hardware belonging to
the state-owned China Telecom before reaching its final destination_

\--
[http://www.theregister.co.uk/2011/03/23/facebook_traffic_chi...](http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/)

~~~
JoshTriplett
Any ISP or country which sent bogus routes like that would get away with it
briefly, before getting blackholed. So, sure, if you just needed a window of a
couple of minutes and you didn't mind it making international news, you could
do this.

Also, any entity trusted only to receive traffic but not to route third-party
traffic will typically get limited to routes that lead to its own IP block,
making this only an option for entities trusted to actually _route_ third-
party traffic. And if any such entity pulled a stunt like this more than once,
they'd have a hard time arguing that it occurred accidentally.

