
How the 2011 hack of DigiNotar changed the Internet’s infrastructure - nayuki
http://www.slate.com/articles/technology/future_tense/2016/12/how_the_2011_hack_of_diginotar_changed_the_internet_s_infrastructure.html
======
thesimp
There was so much more to this hack then what is described in this article.
Google for Foxit, Diginotar and Black Tulip for the complete report. It is
interesting to read how the intruders navigated the separate networks and got
full RDP access to the 8 CA generator servers in the secure room.

~~~
WestCoastJustin
For anyone else, this seems to be the report referenced:
[https://www.rijksoverheid.nl/binaries/rijksoverheid/document...](https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2012/08/13/black-
tulip-update/black-tulip-update.pdf)

------
stephengillie
On one side, the CA certificate network forces a different kind of trust than
SSH certificates. With a CA cert, you trust the browser company, and
(sometimes) distrust the host. With SSH, the choice is only whether or not you
trust the host.

(Please note Windows uses a similar cert for RDP, with the same options to
trust once, trust forever, or disconnect immediately.)

Certificate Transparency is almost a type of blockchain, where what's stored
is a website's decryption key.

~~~
Edmond
Minor nitpick/correction: certificates are public keys, not decryption keys.
Also you can only encrypt with a public key and decrypt with a private key or
sign with a private key and verify with a public key. In general the CA PKI is
mainly for endpoint (mainly server) authentication, actual encryption
typically uses symmetric keys.

------
alexdgg
the real Mr. robot

