Solved

Diginotar certificat

Posted on 2011-09-08
6
527 Views
Last Modified: 2012-05-12
Hello Experts.

I read in the news that diginotar certificats are unsecure.
The Nederlands government has banned all diginotar certificat use.

Does anyone know the status of this problem?

My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

Can someone reflect on this or add some advice i should give?

Is there a tool i can run for automatic removal?

Bas.
0
Comment
Question by:bastouw
6 Comments
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 100 total points
ID: 36507321
A google search will provide most of what you're looking for...Microsoft is issuing an update which will revoke all their certs

Until new certs are issued for those sites, they are not reliable.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 100 total points
ID: 36507730
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 36508478
My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

The issue is not to condemn the global government CA certificate. The breach (or abuse) is not confirmed yet on the critical CA server. Can check out the interim report from FoxIT [1]. From Heise Security [2], although the attackers had control of the DigiNotar servers including the PKIoverheid and Qualified CA servers, analysis of the log files suggests they have not been tampered with or misused. There are two serial numbers of certificates on the servers which cannot be associated with trusted certificates and because of that, the investigators "cannot rule out the possibility that these relate to rogue certificates". However, there are around 531 certificate that are blacklisted [3] which is shared by the Dutch government. The attacker signature has strong sign it is linked with the earlier Codomo CA breach [4].

Overall, the SSL/TLS certificate would be impacted as if intercepted, the traffic is in "plain" for the attacker coming in the middle snooping the traffic. I will say the various affected parties has already act on to blacklist the certificates, so we just need to keep our browser, MS OS etc updated [5]. Not necessarily to remove the cert though that should not harm if the any business application does not rely on it. But not that Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates.

On top of Dignotar and Codomo, also note GlobalSign has announced that it has decided to suspend issuing of SSL certificates while it investigates the attacker's claim [6].

[1] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf
[2] http://www.h-online.com/security/news/item/DigiNotar-breach-due-to-disastrous-security-Update-1337573.html
[3] https://blog.torproject.org/files/rogue-certs-2011-09-04.xlsx
[4] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
[5] http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html
[6] http://www.h-online.com/security/news/item/GlobalSign-suspend-issuing-SSL-certificates-1338634.html
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 40

Assisted Solution

by:noci
noci earned 100 total points
ID: 36508736
Then again then Dutch government is in breach of it's own rules by not putting the diginotar certificate on their CRL
while the terms of use their certificate say on "That a revokation of its issued CA certificates would be effective immediately when a breach is known"...  
AFAIK it is still not on the CRL 2 weeks later...
So effectively if that root isn't revoked some other means is needed for SSL security see [1].

[1] http://www.youtube.com/watch?v=Z7Wl2FW2TcA   
      Blackhat presentation about SSL / Comodo / Trust, Moxie Marlinspike
[2] http://www.f-secure.com/weblog/archives/00002231.html 
[3] http://news4geeks.net/2011/08/19/with-ssl-who-can-you-really-trust/
[4] http://thoughtcrime.org/software/sslsniff/
      tooling for wiretapping SSL, through automated MITM
[4] http://www.wired.com/threatlevel/2010/03/packet-forensics/       
      Equipment that can implement such an MITM
[5] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bf2deb09824418fb?pli=1
     Mozilla demands an re-audit of ALL CA's.

Tools to keep an eye on: Convergence architecture (Moxie Marlinspike)
Firefox: DANE, Certificate Patrol
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 36508894
At least minimal do not go worse by downgrading security posture with no ssl/tls. The firesheep case was an wakeup call for those http site when traffic was snooped. i understand that even EV Cert need to be revoked too..
0
 

Author Closing Comment

by:bastouw
ID: 36509475
Tnx, i know enough now.
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question