In case you have not heard, another SSL Certificate provider, Dutch certificate authority DigiNotar, a subsidiary of Vasco Data Security, was breached recently and from the preliminary report coming from the company that did an audit, it looks pretty bad.
Some of the names in the list of bogus certificates generated by the attackers include Comodo, Google, Thawte, Microsoft, Mozilla, WindoswUpdate, WordPress’ MI6, the CIA, Facebook and Twitter.
For three whole months ( June to August), the attacker camped out on DigiNotar’s servers and did his/her work and cleaned up. S/He was even kind enough to leave a message in a script file that was used to generate the rogue certificates.
The question now is, how much trust should we place on these providers of digital certificates? A few months ago (March 2011), a subsidiary of Comodo was hacked apparently by the same person. Here’s why I am concerned, and I’ll quote from page 9 of the report:
- The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.
- The most critical servers contain malicious software that can normally be detected by anti-virus software
- The separation of critical components was not functioning or was not in place
- The CA (Certificate Authority) servers were accessible over the network from the management LAN
- All CA servers were members of the same Windows domain (and they all apparently used the same user/password combination)
- The password was not very strong and could easily be brute-forced
- The software installed on the public web servers was outdated and not patched
- No antivirus protection was present on the investigated servers
- No secure central network logging was in place
The breach has led to the revocation of a lot of digital certificates – over 500 so far and the breach prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. Google’s Chrome browser also placed DigiNotar certificates on a permanent block list.
It is inexplicable that after the attention that the Comodo breach garnered and the recent spate of hacks against RSA, Barracuda, Citigroup and a host of other high profile targets, that the management at DigiNotar did not deem it wise to do due diligence and execute some element of due care.
This is even more depressing because from this F-Secure blog, the company has been hacked before, back in May of 2009.
Look at the bullet points above again and tell me if those are not things that could have been fixed. And beyond that, what role has their auditor play in this mess? It will be ridiculous to assume that they were not paying an external party to audit their environment. Why did an auditing firm not raise a red flag over these lapses? Is this another case of check box auditing that has come to bite DigiNotar in the ass?
The larger concern is how can we continue to trust DigiNotar and other certificate authorities to help ensure that there is no eavesdropping on secure communications between users and the sites they visit? After all, anyone armed with a rogue certificate for a web firm or service can impersonate that organization and get at communications that would otherwise be impossible to read because they are encrypted.
As Russ Bellew posted, DigiNotar filed for bankruptcy and their fate should be a wake-up call to other Certificate Authorities and indeed all companies with an internet presence. After all, the DigiNotar hacker did say that four other major CA’s were on the chopping block.