What can you do with such a certificate? Well, you can impersonate Google -- assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.
This is not entirely true...
For a short time on Tuesday, internet traffic sent between Facebook and subscribers to AT&T's internet service passed through hardware belonging to the state-owned China Telecom before reaching its final destination
Any ISP or country which sent bogus routes like that would get away with it briefly, before getting blackholed. So, sure, if you just needed a window of a couple of minutes and you didn't mind it making international news, you could do this.
Also, any entity trusted only to receive traffic but not to route third-party traffic will typically get limited to routes that lead to its own IP block, making this only an option for entities trusted to actually route third-party traffic. And if any such entity pulled a stunt like this more than once, they'd have a hard time arguing that it occurred accidentally.
"VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans."
Anything less than termination of the DigiNotar business and paying for a real third-party equivalent SSL cert of equivalent length for all affected customers who have ever been issued DigiNotar certs, plus compensation for the cost of rekeying, should result in action against VASCO (the parent company). It's obvious they don't take the SSL cert business seriously, and it's a small part of their revenue, so they need to just exit it.
They're probably right. VASCO's core products and DigiNotar's appear to be separate BUs (they don't even share IT infrastructure according to the press release). And even within DigiNotar, the SSL CA appears to be an afterthought; VASCA says it did less than $100k EU last year.
Yes, this does beg the question of why an organization like DigiNotar was allowed to be a browser CA root.
That it is kind of absurd that the lives of Iranian dissidents depend on this relationship between browser developers and incompetent bid dumb organizations asserting trustworthiness and competence, IMO.
Having lots of CAs is commercial pressure, but as log as any can issue for any, it means security is as vulnerable as the weakest company's weakest system or staffer.
The lives of Iranian dissidents (a) really don't† and (b) shouldn't depend on browser CA configurations. In reality if your adversary is a hostile government, you should be taking steps beyond verifying SSL certificates.
Incompetence doesn't begin to describe this statement. They say: Your browser might throw some warnings when communicating with government services. In 99.9% of the cases this is a false alarm and you can safely ignore it.
By own accord 1 in a 1000 (of 9 million users) can get MitM'ed and yet you teach people that it is safe to ignore it... They appear to use the same audit company from last time.
The Consumentbond already tells people to expect warnings and ignore them, for they have not been hacked, but merely experience a temporary "browser issue". Reports of DigiD helpdesk telling people to ignore warnings, lower security settings or place the site in "trusted sites".
> The Consumentbond already tells people to expect warnings and ignore them, for they have not been hacked, but merely experience a temporary "browser issue". Reports of DigiD helpdesk telling people to ignore warnings, lower security settings or place the site in "trusted sites".
Isn't that because Mozilla also blocked certs used by the Dutch gov (which DigiD uses I suppose), which aren't actually compromised?
I read that in a new update they'll unblock the Dutch gov certs though.
Still never a good idea to teach people to ignore warnings, especially not on a site like DigiD.
This is an Über Failure if I have ever seen one. They detected the breech on July 19th but didn't think to check to see if anything was amiss?!? I think that OS companies and browsers must come down hard on compromised certificate authorities. A ZERO tolerance policy should be enforced resulting in a permanent BAN if your private keys are compromised!
18 comments
[ 2.8 ms ] story [ 40.2 ms ] threadI've already removed Diginotar from my Firefox trusted CAs. I don't think they're going to earn their way back in.
The fact that they said that makes me trust them even less.
What can you do with such a certificate? Well, you can impersonate Google -- assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.
This is not entirely true...
For a short time on Tuesday, internet traffic sent between Facebook and subscribers to AT&T's internet service passed through hardware belonging to the state-owned China Telecom before reaching its final destination
-- http://www.theregister.co.uk/2011/03/23/facebook_traffic_chi...
Also, any entity trusted only to receive traffic but not to route third-party traffic will typically get limited to routes that lead to its own IP block, making this only an option for entities trusted to actually route third-party traffic. And if any such entity pulled a stunt like this more than once, they'd have a hard time arguing that it occurred accidentally.
Anything less than termination of the DigiNotar business and paying for a real third-party equivalent SSL cert of equivalent length for all affected customers who have ever been issued DigiNotar certs, plus compensation for the cost of rekeying, should result in action against VASCO (the parent company). It's obvious they don't take the SSL cert business seriously, and it's a small part of their revenue, so they need to just exit it.
Yes, this does beg the question of why an organization like DigiNotar was allowed to be a browser CA root.
Having lots of CAs is commercial pressure, but as log as any can issue for any, it means security is as vulnerable as the weakest company's weakest system or staffer.
† but not for reasons that will make you happy
http://translate.google.com/translate?hl=en&sl=auto&...
Incompetence doesn't begin to describe this statement. They say: Your browser might throw some warnings when communicating with government services. In 99.9% of the cases this is a false alarm and you can safely ignore it.
By own accord 1 in a 1000 (of 9 million users) can get MitM'ed and yet you teach people that it is safe to ignore it... They appear to use the same audit company from last time.
The Consumentbond already tells people to expect warnings and ignore them, for they have not been hacked, but merely experience a temporary "browser issue". Reports of DigiD helpdesk telling people to ignore warnings, lower security settings or place the site in "trusted sites".
Isn't that because Mozilla also blocked certs used by the Dutch gov (which DigiD uses I suppose), which aren't actually compromised?
I read that in a new update they'll unblock the Dutch gov certs though.
Still never a good idea to teach people to ignore warnings, especially not on a site like DigiD.