iCopyleft
Four Freedoms 🇳🇱🇺🇸 work in progress
 
 
 

DigiNotar

A Dutch Certificate Authority. Selling SSL certificates.

DigiNotar SSL certificate hack amounts to cyberwar, says expert

DigiNotar - notariële diensten voor het Internet



news_DigiNotar reports security incident »  OAKBROOK TERRACE, Illinois and ZURICH, Switzerland – August 30, 2011 – VASCO Data Security International, Inc. (Nasdaq: VDSI; www.vasco.com) today comments on DigiNotar’s reported security incident. DigiNotar is a wholly owned subsidiary of VASCO. http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures.
At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time.  After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.

The attack was targeted solely at DigiNotar's Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised. DigiNotar stresses the fact that the vast majority of its business, including his Dutch government business (PKIOverheid) was completely unaffected by the attack.

The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations.

DigiNotar actively looks for quick and effective solutions for its existing (EV)SSL customers. The company expects to have a solution for its entire customer base before the end of this business week. DigiNotar expects that the cost of this action will be minimal.

The incident at DigiNotar has no consequences whatsoever for VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business.

VASCO expects the impact of the breach of DigiNotar’s SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000.
VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans. DigiNotar reports security incident | OneSpan https://www.onespan.com/about/news/diginotar-reports-security-incident

Vraag en antwoord over DigiNotar | Brochure | Rijksoverheid.nl » http://www.rijksoverheid.nl/documenten-en-publicaties/brochures/2011/09/05/vraag-en-antwoord-over-diginotar.html


News from the Lab Archive : Tuesday, August 30, 2011 • DigiNotar Hacked by Black.Spook and Iranian Hackers • Posted by Mikko @ 09:05 GMT » https://archive.f-secure.com/weblog/archives/00002228.html


The DigiNotar Debacle, and what you should do about it | Tor Blog • by ioerror | August 31, 2011 » https://blog.torproject.org/diginotar-debacle-and-what-you-should-do-about-it » Recently it has come to the attention of, well, nearly the entire world that the Dutch Certificate Authority DigiNotar incorrectly issued certificates to a malicious party or parties. Even more recently, it's come to light that they were apparently compromised months ago or perhaps even in May of 2009 if not earlier. https://blog.torproject.org/files/translation-of-press-release.txt » http://pastebin.com/JTpA1tJ6 • This an unofficial and not-so-beautiful translation by Bits of Freedom of Diginotar's messages to its customers regarding the breach of its security. The original text, which appears to be Dutch translated partly from English, can be found here: http://diginotar.nl/Actueel/tabid/264/articleType/ArticleView/articleId/327/Default.aspx • Messages have appeared on the internet regarding DigiNotar certificates which are not being trusted by the Browsers anymore (Microsoft Internet Explorer, Mozilla, Firefox, Chrome). This follows from a hacker attack on the computers of Diginotar, which took place mid July this year. DigiNotar has discovered this attack and taken comprehensive countermeasures. We used our own expertise, as well as external IT security experts which have performed an extensive investigation into how this attack was possible. It appears that certificates have erroneously come into circulation from a subRoot (the Public Root 2025). From the performed investigation, it turns out that that this only concerns SSL certificates and EVSSL certificates which have been issued under this subRoot. Other Roots have remained untouched. This applies in particular to the root from which PKIoverheid certificates are issued and the subRoot from which the DigiNotar qualified certificates are issued. Meanwhile, DigiNotar revoked all certificates which the investigation identified as issued erroneously, and these are thus not used anymore. Unfortunately it turns out that there was still a certificate (in the name of Google.com) in circulation. This meanwhile has also been revoked. As far as we know, this certificate has been abused in Iran against users in Iran. DigiNotar has asked the independent firm Fox-IT, specializing in IT security, to again examine its systems in order to exclude all future risks as much as possible. The results of this investigation will be made public as soon as possible. Implications for daily practice Currently, pending this investigation, Browser suppliers have reacted differently to the statements regarding the confidence in the DigiNotar Roots in the Browser. One Browser supplier indicates that only the "bad" 2025 Public Root no longer is to be trusted, while the other states that other certificates from other Roots are not to be trusted. The latter conclusion is thus unjustified. DigiNotar is committed to remove any misunderstandings as quickly as possible. The browser vendors have already indicated that the security of the PKIOverheid Root and thus all PKIOverheid Root Certificates is not at stake. Users of SSL certificates, can depending on the method which the browsersupplier uses, be confronted with a message that the certificate is not to be trusted. This is incorrect in 99.9% of the cases: the certificate can be trusted. This can be indicated manually by the user in the browser, similar to certificates of issuers whose Root is not included in the Browser (see for the method the FAQ on our website). Users of other types of certificates will not normally be affected by the incident. DigiNotar offers all holders of SSL and EVSSL certificates an option to return their certificates in exchange for PKIoverheid (EV) SSL certificates in order to reduce the inconvenience to the users to a minimum. When exchanging the certificates, the conditions for issuing PKIoverheid certificates should be taken into consideration. The exchange is of course without costs.


DigiNotar SSL certificate hack amounts to cyberwar, says expert | Hacking | The Guardian • Charles Arthur and agencies •  @charlesarthur • Mon 5 Sep 2011 18.14 BST » https://www.theguardian.com/technology/2011/sep/05/diginotar-certificate-hack-cyberwar » Dutch government revokes certificates used for all its secure online transactions, while CIA, Google, Microsoft and others affected by hack called 'worse than Stuxnet'



Deze tekst past u aan door erop te klikken.