Solved

Diginotar certificat

Posted on 2011-09-08
6
526 Views
Last Modified: 2012-05-12
Hello Experts.

I read in the news that diginotar certificats are unsecure.
The Nederlands government has banned all diginotar certificat use.

Does anyone know the status of this problem?

My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

Can someone reflect on this or add some advice i should give?

Is there a tool i can run for automatic removal?

Bas.
0
Comment
Question by:bastouw
6 Comments
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 100 total points
ID: 36507321
A google search will provide most of what you're looking for...Microsoft is issuing an update which will revoke all their certs

Until new certs are issued for those sites, they are not reliable.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 100 total points
ID: 36507730
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 36508478
My advice would be not to use the governments sites for now and remove the diginotar certs.
from the cert store on all computer using these sites and wait until the certificats are fixed.

The issue is not to condemn the global government CA certificate. The breach (or abuse) is not confirmed yet on the critical CA server. Can check out the interim report from FoxIT [1]. From Heise Security [2], although the attackers had control of the DigiNotar servers including the PKIoverheid and Qualified CA servers, analysis of the log files suggests they have not been tampered with or misused. There are two serial numbers of certificates on the servers which cannot be associated with trusted certificates and because of that, the investigators "cannot rule out the possibility that these relate to rogue certificates". However, there are around 531 certificate that are blacklisted [3] which is shared by the Dutch government. The attacker signature has strong sign it is linked with the earlier Codomo CA breach [4].

Overall, the SSL/TLS certificate would be impacted as if intercepted, the traffic is in "plain" for the attacker coming in the middle snooping the traffic. I will say the various affected parties has already act on to blacklist the certificates, so we just need to keep our browser, MS OS etc updated [5]. Not necessarily to remove the cert though that should not harm if the any business application does not rely on it. But not that Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates.

On top of Dignotar and Codomo, also note GlobalSign has announced that it has decided to suspend issuing of SSL certificates while it investigates the attacker's claim [6].

[1] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf
[2] http://www.h-online.com/security/news/item/DigiNotar-breach-due-to-disastrous-security-Update-1337573.html
[3] https://blog.torproject.org/files/rogue-certs-2011-09-04.xlsx
[4] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
[5] http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html
[6] http://www.h-online.com/security/news/item/GlobalSign-suspend-issuing-SSL-certificates-1338634.html
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 40

Assisted Solution

by:noci
noci earned 100 total points
ID: 36508736
Then again then Dutch government is in breach of it's own rules by not putting the diginotar certificate on their CRL
while the terms of use their certificate say on "That a revokation of its issued CA certificates would be effective immediately when a breach is known"...  
AFAIK it is still not on the CRL 2 weeks later...
So effectively if that root isn't revoked some other means is needed for SSL security see [1].

[1] http://www.youtube.com/watch?v=Z7Wl2FW2TcA   
      Blackhat presentation about SSL / Comodo / Trust, Moxie Marlinspike
[2] http://www.f-secure.com/weblog/archives/00002231.html 
[3] http://news4geeks.net/2011/08/19/with-ssl-who-can-you-really-trust/
[4] http://thoughtcrime.org/software/sslsniff/
      tooling for wiretapping SSL, through automated MITM
[4] http://www.wired.com/threatlevel/2010/03/packet-forensics/       
      Equipment that can implement such an MITM
[5] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bf2deb09824418fb?pli=1
     Mozilla demands an re-audit of ALL CA's.

Tools to keep an eye on: Convergence architecture (Moxie Marlinspike)
Firefox: DANE, Certificate Patrol
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 36508894
At least minimal do not go worse by downgrading security posture with no ssl/tls. The firesheep case was an wakeup call for those http site when traffic was snooped. i understand that even EV Cert need to be revoked too..
0
 

Author Closing Comment

by:bastouw
ID: 36509475
Tnx, i know enough now.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now