Diginotar certificat

Posted on 2011-09-08
Medium Priority
Last Modified: 2012-05-12
Hello Experts.

I read in the news that diginotar certificats are unsecure.
The Nederlands government has banned all diginotar certificat use.

Does anyone know the status of this problem?

My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

Can someone reflect on this or add some advice i should give?

Is there a tool i can run for automatic removal?

Question by:bastouw
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 400 total points
ID: 36507321
A google search will provide most of what you're looking for...Microsoft is issuing an update which will revoke all their certs

Until new certs are issued for those sites, they are not reliable.
LVL 44

Accepted Solution

Darr247 earned 400 total points
ID: 36507730
LVL 65

Assisted Solution

btan earned 800 total points
ID: 36508478
My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

The issue is not to condemn the global government CA certificate. The breach (or abuse) is not confirmed yet on the critical CA server. Can check out the interim report from FoxIT [1]. From Heise Security [2], although the attackers had control of the DigiNotar servers including the PKIoverheid and Qualified CA servers, analysis of the log files suggests they have not been tampered with or misused. There are two serial numbers of certificates on the servers which cannot be associated with trusted certificates and because of that, the investigators "cannot rule out the possibility that these relate to rogue certificates". However, there are around 531 certificate that are blacklisted [3] which is shared by the Dutch government. The attacker signature has strong sign it is linked with the earlier Codomo CA breach [4].

Overall, the SSL/TLS certificate would be impacted as if intercepted, the traffic is in "plain" for the attacker coming in the middle snooping the traffic. I will say the various affected parties has already act on to blacklist the certificates, so we just need to keep our browser, MS OS etc updated [5]. Not necessarily to remove the cert though that should not harm if the any business application does not rely on it. But not that Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates.

On top of Dignotar and Codomo, also note GlobalSign has announced that it has decided to suspend issuing of SSL certificates while it investigates the attacker's claim [6].

[1] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf
[2] http://www.h-online.com/security/news/item/DigiNotar-breach-due-to-disastrous-security-Update-1337573.html
[3] https://blog.torproject.org/files/rogue-certs-2011-09-04.xlsx
[4] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
[5] http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html
[6] http://www.h-online.com/security/news/item/GlobalSign-suspend-issuing-SSL-certificates-1338634.html
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 41

Assisted Solution

noci earned 400 total points
ID: 36508736
Then again then Dutch government is in breach of it's own rules by not putting the diginotar certificate on their CRL
while the terms of use their certificate say on "That a revokation of its issued CA certificates would be effective immediately when a breach is known"...  
AFAIK it is still not on the CRL 2 weeks later...
So effectively if that root isn't revoked some other means is needed for SSL security see [1].

[1] http://www.youtube.com/watch?v=Z7Wl2FW2TcA   
      Blackhat presentation about SSL / Comodo / Trust, Moxie Marlinspike
[2] http://www.f-secure.com/weblog/archives/00002231.html 
[3] http://news4geeks.net/2011/08/19/with-ssl-who-can-you-really-trust/
[4] http://thoughtcrime.org/software/sslsniff/
      tooling for wiretapping SSL, through automated MITM
[4] http://www.wired.com/threatlevel/2010/03/packet-forensics/       
      Equipment that can implement such an MITM
[5] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bf2deb09824418fb?pli=1
     Mozilla demands an re-audit of ALL CA's.

Tools to keep an eye on: Convergence architecture (Moxie Marlinspike)
Firefox: DANE, Certificate Patrol
LVL 65

Assisted Solution

btan earned 800 total points
ID: 36508894
At least minimal do not go worse by downgrading security posture with no ssl/tls. The firesheep case was an wakeup call for those http site when traffic was snooped. i understand that even EV Cert need to be revoked too..

Author Closing Comment

ID: 36509475
Tnx, i know enough now.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question