The internet has relied on Secure Socket Layer (SSL) certificates to validate the authenticity of websites. Last month at least 531 certificates signed by the Dutch Certificate Authority (CA) DigiNotar were false. The response has been immediate and intense: Microsoft and Firefox have issued updates to exempt all DigiNotar certificates. Not as significant, but important, was the release of Apache 2.2.20 which fixed a DoS vulnerability.
The Dutch government conducted a press conference at night, the first in its history. DigiNotar signs some 57,956 certificates and the recent breach had been known by them for some time.
Certificate Authorities are not very well understood even by administrators. Last year, Danny O’Brien published an article titled, “The Internet’s Secret Back Door” which gives some good insight into why CAs exist and what they do. In a simplified form, certificates are the way a web browser knows the authenticity of the website it is viewing. The concern is similar to that of the DNS attacks that have happened lately where a man-in-the-middle attack can be made by setting up a website that poses as the real one.
A full list of rogue certs made by DigiNotar has been published by the Tor Project. The list includes many major websites like Facebook, Twitter, Microsoft, and Google. The concern is that if the entity that compromised those certificates has the expertise they can spoof or at least monitor the secure traffic to those sites.
Immediately following the incident, Firefox released an update (6.0.2) to remove all DigiNotar signatures from its list of trusted certificates. Microsoft did the same by releasing some patches that revoke DigiNotar certificates. Chrome is planning on doing the same. Apple has yet to act.
A former employee at Apple, Paul Suh, describes on his website ps-Enable how to remove the certificates on Macs. His opinion is that “due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable.” He could be not far from the truth.
The hacker’s IP address was from Iran, and the Iranian who takes credit for the breach called ComodoHacker was also involved in obtaining false certificates in March of this year for Google, Yahoo, Skype, and other major websites. He now claims to have accessed four high profile CAs and a number of CAs were using the same domain controller which gave him access. His reasoning for this is very ideological, much in the same way Anonymous and LulzSec are. The security firm Fox-IT which was called in to investigate produced a report (PDF) that suggests the objective of the hacker was to intercept secure communications in Iran.
There isn’t evidence yet that GlobalSign, another CA, was compromised, but they are taking precaution by ceasing to issue additional certificates. Such a vital aspect of internet security will certainly raise concern among system administrators.