Solved

Diginotar certificat

Posted on 2011-09-08
6
524 Views
Last Modified: 2012-05-12
Hello Experts.

I read in the news that diginotar certificats are unsecure.
The Nederlands government has banned all diginotar certificat use.

Does anyone know the status of this problem?

My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

Can someone reflect on this or add some advice i should give?

Is there a tool i can run for automatic removal?

Bas.
0
Comment
Question by:bastouw
6 Comments
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 100 total points
ID: 36507321
A google search will provide most of what you're looking for...Microsoft is issuing an update which will revoke all their certs

Until new certs are issued for those sites, they are not reliable.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 100 total points
ID: 36507730
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
ID: 36508478
My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

The issue is not to condemn the global government CA certificate. The breach (or abuse) is not confirmed yet on the critical CA server. Can check out the interim report from FoxIT [1]. From Heise Security [2], although the attackers had control of the DigiNotar servers including the PKIoverheid and Qualified CA servers, analysis of the log files suggests they have not been tampered with or misused. There are two serial numbers of certificates on the servers which cannot be associated with trusted certificates and because of that, the investigators "cannot rule out the possibility that these relate to rogue certificates". However, there are around 531 certificate that are blacklisted [3] which is shared by the Dutch government. The attacker signature has strong sign it is linked with the earlier Codomo CA breach [4].

Overall, the SSL/TLS certificate would be impacted as if intercepted, the traffic is in "plain" for the attacker coming in the middle snooping the traffic. I will say the various affected parties has already act on to blacklist the certificates, so we just need to keep our browser, MS OS etc updated [5]. Not necessarily to remove the cert though that should not harm if the any business application does not rely on it. But not that Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates.

On top of Dignotar and Codomo, also note GlobalSign has announced that it has decided to suspend issuing of SSL certificates while it investigates the attacker's claim [6].

[1] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf
[2] http://www.h-online.com/security/news/item/DigiNotar-breach-due-to-disastrous-security-Update-1337573.html
[3] https://blog.torproject.org/files/rogue-certs-2011-09-04.xlsx
[4] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
[5] http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html
[6] http://www.h-online.com/security/news/item/GlobalSign-suspend-issuing-SSL-certificates-1338634.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 39

Assisted Solution

by:noci
noci earned 100 total points
ID: 36508736
Then again then Dutch government is in breach of it's own rules by not putting the diginotar certificate on their CRL
while the terms of use their certificate say on "That a revokation of its issued CA certificates would be effective immediately when a breach is known"...  
AFAIK it is still not on the CRL 2 weeks later...
So effectively if that root isn't revoked some other means is needed for SSL security see [1].

[1] http://www.youtube.com/watch?v=Z7Wl2FW2TcA    
      Blackhat presentation about SSL / Comodo / Trust, Moxie Marlinspike
[2] http://www.f-secure.com/weblog/archives/00002231.html
[3] http://news4geeks.net/2011/08/19/with-ssl-who-can-you-really-trust/
[4] http://thoughtcrime.org/software/sslsniff/
      tooling for wiretapping SSL, through automated MITM
[4] http://www.wired.com/threatlevel/2010/03/packet-forensics/      
      Equipment that can implement such an MITM
[5] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bf2deb09824418fb?pli=1
     Mozilla demands an re-audit of ALL CA's.

Tools to keep an eye on: Convergence architecture (Moxie Marlinspike)
Firefox: DANE, Certificate Patrol
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
ID: 36508894
At least minimal do not go worse by downgrading security posture with no ssl/tls. The firesheep case was an wakeup call for those http site when traffic was snooped. i understand that even EV Cert need to be revoked too..
0
 

Author Closing Comment

by:bastouw
ID: 36509475
Tnx, i know enough now.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now