Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Diginotar certificat

Posted on 2011-09-08
Medium Priority
Last Modified: 2012-05-12
Hello Experts.

I read in the news that diginotar certificats are unsecure.
The Nederlands government has banned all diginotar certificat use.

Does anyone know the status of this problem?

My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

Can someone reflect on this or add some advice i should give?

Is there a tool i can run for automatic removal?

Question by:bastouw
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 400 total points
ID: 36507321
A google search will provide most of what you're looking for...Microsoft is issuing an update which will revoke all their certs

Until new certs are issued for those sites, they are not reliable.
LVL 44

Accepted Solution

Darr247 earned 400 total points
ID: 36507730
LVL 65

Assisted Solution

btan earned 800 total points
ID: 36508478
My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

The issue is not to condemn the global government CA certificate. The breach (or abuse) is not confirmed yet on the critical CA server. Can check out the interim report from FoxIT [1]. From Heise Security [2], although the attackers had control of the DigiNotar servers including the PKIoverheid and Qualified CA servers, analysis of the log files suggests they have not been tampered with or misused. There are two serial numbers of certificates on the servers which cannot be associated with trusted certificates and because of that, the investigators "cannot rule out the possibility that these relate to rogue certificates". However, there are around 531 certificate that are blacklisted [3] which is shared by the Dutch government. The attacker signature has strong sign it is linked with the earlier Codomo CA breach [4].

Overall, the SSL/TLS certificate would be impacted as if intercepted, the traffic is in "plain" for the attacker coming in the middle snooping the traffic. I will say the various affected parties has already act on to blacklist the certificates, so we just need to keep our browser, MS OS etc updated [5]. Not necessarily to remove the cert though that should not harm if the any business application does not rely on it. But not that Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates.

On top of Dignotar and Codomo, also note GlobalSign has announced that it has decided to suspend issuing of SSL certificates while it investigates the attacker's claim [6].

[1] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf
[2] http://www.h-online.com/security/news/item/DigiNotar-breach-due-to-disastrous-security-Update-1337573.html
[3] https://blog.torproject.org/files/rogue-certs-2011-09-04.xlsx
[4] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
[5] http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html
[6] http://www.h-online.com/security/news/item/GlobalSign-suspend-issuing-SSL-certificates-1338634.html
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 40

Assisted Solution

noci earned 400 total points
ID: 36508736
Then again then Dutch government is in breach of it's own rules by not putting the diginotar certificate on their CRL
while the terms of use their certificate say on "That a revokation of its issued CA certificates would be effective immediately when a breach is known"...  
AFAIK it is still not on the CRL 2 weeks later...
So effectively if that root isn't revoked some other means is needed for SSL security see [1].

[1] http://www.youtube.com/watch?v=Z7Wl2FW2TcA   
      Blackhat presentation about SSL / Comodo / Trust, Moxie Marlinspike
[2] http://www.f-secure.com/weblog/archives/00002231.html 
[3] http://news4geeks.net/2011/08/19/with-ssl-who-can-you-really-trust/
[4] http://thoughtcrime.org/software/sslsniff/
      tooling for wiretapping SSL, through automated MITM
[4] http://www.wired.com/threatlevel/2010/03/packet-forensics/       
      Equipment that can implement such an MITM
[5] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bf2deb09824418fb?pli=1
     Mozilla demands an re-audit of ALL CA's.

Tools to keep an eye on: Convergence architecture (Moxie Marlinspike)
Firefox: DANE, Certificate Patrol
LVL 65

Assisted Solution

btan earned 800 total points
ID: 36508894
At least minimal do not go worse by downgrading security posture with no ssl/tls. The firesheep case was an wakeup call for those http site when traffic was snooped. i understand that even EV Cert need to be revoked too..

Author Closing Comment

ID: 36509475
Tnx, i know enough now.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question