
DigiNotar Damage Disclosure (with full list of issued certs) - jen_h
https://blog.torproject.org/blog/diginotar-damage-disclosure
======
Tharkun
Many thanks to the Tor folks for this disclosure, at least they (and other
browser providers) are taking responsibility where Diginotar would not.

It seems likely that Diginotar will be going out of business shortly, and
rightly so, but I don't think this should stop there. Their lack of
communication is very troubling. Not sure what their contractual obligations
are, but when supplying _trusted_ SSL certs trust seems pretty important, so
maybe it's possible to sue for damages since that trust was obviously broken?

~~~
DavidChouinard
From the DigiNotar press release [1] on the matter:

    
    
        VASCO expects the impact of the breach of DigiNotar’s SSL and EVSSL business
        to be minimal. Through the first six months of 2011, revenue from the SSL 
        and EVSSL business was less than Euro 100,000. VASCO does not expect that
        the DigiNotar security incident will have a significant impact on the
        company’s future revenue or business plans.
    

[1] -
[http://www.vasco.com/company/press_room/news_archive/2011/ne...](http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx)

~~~
pasbesoin
I refrained from making this comment, before, but I guess I will now.

We should, as well, be running the hell away from VASCO. At a minimum, their
due diligence during the acquisition of DigiNotar was lacking. To the extent
as the parent company they inherently have responsibility, they have also
failed. I don't care if the acquisition is recent; in security, that's no
excuse.

Their citation of the monetary figure as reason to consider the matter
"minimal" could be read as a further example of their contempt and/or
disregard for the responsibility they shouldered with the DigiNotar
acquisition.

TL/DR: Stop saying "DigiNotar", and start saying (or also say) "VASCO".

------
jackowayed

      The most egregious certs issued were for *.*.com and *.*.org
    

Why is that even possible? Does it ever make sense for that to exist? If the
browsers currently accept that, I wouldn't be surprised if they stop accepting
that since it almost certainly means someone got ahold of certs they shouldn't
have.

~~~
tptacek
There is no reason that should have to be possible; it is straightforward for
a browser to reject _any_ "wildcard" certificate, and even easier to reject a
cert that wants to claim all of ".com".

Now, when you think about that, remember: the DNSSEC trust model starts with
an entity that can sign anything under .COM. You _can't_ not have that entity
in DNSSEC. Now you understand one reason I think DNSSEC sucks.

~~~
__david__
I don't know, it still seems better to me than our current situation which is
300 attack surfaces that are all effectively

    
    
      *.*

~~~
tptacek
You or I can point or click our way through dealing with a breach of a TLS
certificate.

Tell me what you'd personally do to deal with a rumored breach or misuse of
.COM?

Remember: under DNSSEC, Libya would have been BIT.LY's CA.

~~~
soult
> Remember: under DNSSEC, Libya would have been BIT.LY's CA.

Remember: With or without DNSSEC Libya sets falsified MX records for bit.ly,
buys a certificate (without any hacking), because after all, a valid SSL
certificate for domain.example means that someone verified that you indeed
receive mail for webmaster@domain.example, and also suddenly has a certificate
for Bit.ly. This has been critized by Kaminsky and other researchers for ages
now.

I know you love SSL. In fact, I like SSL too. But please stop advertising the
CA system along with it, because it is horribly broken.

~~~
tptacek
You and I agree about the CA system. SSL admits to things other than the CA
system, like notary servers.

------
shabble
I don't know if this has been covered in one of the other threads (no obvious
searches showed it up):

As an attacker, why would you choose to limit the valid-until date on
certificates you generate to a very small value? You might expect people to
notice they're being MitM'd fairly fast, and the breach to be uncovered and
your certs distrusted quickly, but that's not really a good reason to
deliberately limit yourself.

The only sensible answer I can think of is that maybe there is some internal
auditing that generating very short-duration certificates gets around?

Anyone got any better ideas?

------
xpaulbettsx
If you're running Windows, you need to disable this root CA _immediately_ , as
you are now vulnerable to having arbitrary code run on your machine as SYSTEM
if someone spoofs Windows Update.

------
joelhaasnoot
Was just logging into the e-service portal DigiD which previously had a
Government cert verified by DigiNotar. Now it's verified by Getronics
PinkRoccade, a big dutch IT-services company belonging to former state-owned
telco KPN.

~~~
troels
I'm wondering. Considering how important these things are, would it make sense
that governments set up their own CA?

~~~
onedognight
They have. Take a look at the default root CA list in your browser. The big
governments are represented and therefore can MITM anyone they want.

~~~
dredmorbius
The fact that Honest Achmed's Used Cars & Ceritficates would, if issued a root
cert, be as able as any other certificate authority to issue a cert for any
entity including:

    
    
      *.*.com
      *.*.org
    

... is like saying that you'll accept a US Passport issued by any country in
the world, including, say, North Korea or Iran. While the crypto behind
SSL/TLS is strong, the trust model is very clearly very broken.

With governments able to issue certs, as onedognight notes, there's no option
of a commercial death sentence. As experiences with RIM/India and Microsoft /
Google and China show, at least some governments would be able to apply
sufficient pressure on software producers to be able to at least make
governmental root revocation not automatic in all circumstances.

[http://www.livehacking.com/2011/04/25/honest-achmeds-used-
ca...](http://www.livehacking.com/2011/04/25/honest-achmeds-used-cars-and-
certificates-wants-to-become-a-trusted-certificate-authority/)

~~~
ctz
Let's be clear: the SSL/TLS protocol specifies no certification structure.
This structure was built by the members of CAB in the relatively distant past.

It /is/ possible to use TLS to make a genuinely good secure web. Unfortunately
at the moment there isn't a strong enough economic reason to fix the current
certification structure -- while fundamentally broken, it isn't broken enough
in practice yet.

Something like an large ISP-level compromise of banking services using mis-
issued certificates would probably incur some action.

~~~
dredmorbius
It's not sufficient to defend crypto in theory without considering how it's
used in practice _and what real-life threats exist as a result._

That's been one of the key themes in Bruce Schneier's work since _Applied
Cryptography_. In that book he laid the foundations for strong crypto. In his
subsequent works, he's shown that strong crypto, inappropriately applied,
isn't secure, and that security bogeymen, particularly those against which we
take countermeasures which are both ineffective and expensive (and not just in
financial terms) are themselves more potent risks than the _real_ threats we
face.

The real tragedy is in crippling ourselves and spending treasure fighting the
phantoms while ignoring real threats and dangers.

------
merlincorey
Grepping for "Tehran" revealed more secret messages:

Extended Validation CA","unknown","unknown","
_.SahebeDonyayeDigital.com","CN=_.SahebeDonyayeDigital.com,SN=PK000229200006592,OU=Elme
Bikaran,L=Tehran,O=Daneshmande Bi nazir,C=IR" "2011-07-10
22:08:31","585a8ee9017a326d21bd19dce9d9777d","DigiNotar

Extended Validation CA","unknown","unknown","
_.RamzShekaneBozorg.com","CN=_.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare
Toro Ham Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR" "2011-07-10
22:11:59","aa239bf9fe84b25444be0799f40c9f67","DigiNotar

Extended Validation CA","unknown","unknown","
_.JanamFadayeRahbar.com","CN=_.JanamFadayeRahbar.com,SN=PK000229200006594,OU=Sarbaze
Gomnam,L=Tehran,O=Ke Jano Janan Toyi,C=IR"

Thankfully it seems someone already translated in the comments:

\--- Translation one ---

Sahebeh Donya => Possessor of the World e.g. God.

Sarbazeh Gomnam => Unknown Soldier

Elme Bikaran => Science/Knowledge of the idle/unemployed

Daneshmande Bi nazir => Peerless Scientist

RamzShekaneBozorg => Great Cryptanalyst

Toro Ham Mishkanam => I will breakTOR too

Hameye Ramzaro Mishkanam => Will break all cyphers

\---

\--- Translation Two ---

Sahebeh Donya => Possessor of the World e.g. God.

Sarbazeh Gomnam => Unknown Soldier

Elme Bikaran => Science/Knowledge of the idle/unemployed

Daneshmande Bi nazir => Peerless Scientist

RamzShekaneBozorg => Great Cryptanalyst

Toro Ham Mishkanam => I will breakTOR too

Hameye Ramzaro Mishkanam => Will break all cyphers

[edited for formatting]

------
jdbeast00
Wow, is this a typo??

"The most egregious certs issued were for [asterisk].[asterisk].com and
[asterisk].[asterisk].org"

I didn't know double wildcard certs were possible. This would be extremely
helpful for us if that was. Anyone know?

(Just to be extra clear, we would like one cert that covers a.b.example.org as
well as d.e.example.org, and hopefully also still works for a.example.org)

edit: We currently have a *.example.org cert, and while some browsers think
that is valid for a.b.example.org, most do not.

------
Someone
"the _currently_ known bad DigiNotar related certificates"

=> that list is not necessarily a full list (and, given the reportedly
incomplete audit trail, we may never know how long the full list is)

~~~
speleding
It doesn't really matter if there are any other certificates we don't know
about. If you don't have the Diginotar root certs block you have a problem, if
you do have them blocked it's not relevant whatever else they issued.

------
xtacy
Is there an AdBlock like community collected list of "safe" certificates that
I should have in my system? Till date, I have removed COMODO, DigiNotar, but I
suspect there are more.

~~~
sp332
Maybe check out convergence.io? Also Certificate Patrol
<http://patrol.psyced.org/> , Perspectives <http://perspectives-project.org/>
, or just plain SSL Blacklist <http://codefromthe70s.org/sslblacklist.aspx> .

------
tzury
facebbok, google, cia, skype, twitter, mozilla, logmein, and many more, scary!

[https://svn.torproject.org/svn/projects/misc/diginotar/rogue...](https://svn.torproject.org/svn/projects/misc/diginotar/rogue-
certs-2011-09-04.csv)

------
sandGorgon
hey guys - as an end user, how do I make sure that I am protected ? I mean is
there a way to make sure these certificates dont affect me.

I'm on Ubuntu Linux and have applied the recent updates... but how can I be
sure ?

------
zby
some more info: <http://blog.gerv.net/2011/09/diginotar-compromise/>

------
cft
Iranian govmnt revenge for stuxnet?

