DigiNotar breach leads to grave security concerns

By EDRi · September 7, 2011

This article is also available in:
Deutsch: [DigiNotar-Panne führt zu schwerwiegenden Sicherheitsbedenken | http://www.unwatched.org/EDRigram_9.17_DigiNotar-Panne_fuehrt_zu_schwerwiegenden_Sicherheitsbedenken?pk_campaign=edri&pk_kwd=20110907]

A breach in the computer systems of Dutch certificate company Diginotar
led to grave concerns regarding the security of internet users in Iran
and Dutch government communications. On 2 September 2011, the Dutch
government denounced their trust in certificates issued by DigiNotar
after the discovery of fraudulent certificates. It advised Dutch
citizens not to log in on websites using these certificates, until the
certificates are replaced. Meanwhile, there is credible evidence that
the confidential communication of hundreds of thousands of Iranians with
Gmail has been intercepted.

In June 2011, the servers of DigiNotar were intruded and certificates
were fraudulently issued in the weeks after. Although some of these
certificates were revoked, DigiNotar kept the breach secret. Only weeks
later, following a message posted on a forum by someone from Iran who
tried to log in to Gmail and received a warning about a non-authentic
DigiNotar certificate for Google, did DigiNotar acknowledge the breach.
On 29 August 2011, the Dutch government was notified about the incident.

DigiNotar revoked the rogue Google certificate and asked a Dutch
security firm to perform an investigation into the breach. The report of
the investigation showed that DigiNotar did not observe basic security
measures and hundreds of false certificates were issued on its systems.
The rogue Google certificate proved to be in use since 27 July 2011.
Active abuse was observed between 4 and 29 August 2011. It is likely
that hundreds of thousands of sessions with Google from Iran were
intercepted using this certificate.

DigiNotar issues several types of certificates, including PKI-Overheid
certificates – typically used by the Dutch government for its websites –
and ‘simple’ certificates. As it could not be excluded that false
government certificates were also issued, the Dutch government decided
to switch to certificates from other authorities.

The incident with DigiNotar also raises questions about the safety and
trustworthiness of the certificate system in general. Worldwide, there
are hundreds of companies providing these certificates. Supervision on
these companies is limited. They can sell certificates as long as they
meet the conditions of the browser manufacturers. There is no guarantee
that all of them take adequate measures to prevent and detect breaches.
This should be a wake-up call for governments and organisations all over
the world to actively start working on better, more robust certification

Message about rogue certificate (28.08.2011)

Letter from the Dutch government about the intrusion at DigiNotar (only
in Dutch, 5.09.2011)

Interim report from Fox-IT about the DigiNotar Certificate Authority breach (5.09.2011)

(Contributed by Marjolein van der Heide – EDRi-member Bits of Freedom – Netherlands)