Dutch certificate authority (CA) DigiNotar has admitted that its infrastructure was hacked, leading to a fraudulent Google.com SSL certificate being issued.
With a valid certificate issued and 'signed' by DigiNotar, a browser would not display a warning message when a user visited a website signed with the certificate. A statement by DigiNotar's parent Vasco said that an intrusion was noted on 19th
July, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
It said: “At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time.
“After being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.”
It said that the attack was targeted solely at DigiNotar's CA infrastructure for issuing SSL and EVSSL certificates, but no other certificate types were issued or compromised and VASCO said that it does not expect that the DigiNotar security incident will have a significant impact on the company's future revenue or business plans.
A public report was posted by an Iranian user on a help forum, which said that he had received a certificate warning from his Chrome browser when he attempted to log into Gmail. The forum note included a link to a Pastebin file, which contains the text of the fake cert that was issued on the 10th July.
A response by Google said that it had received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users and in that case, those affected were primarily located in Iran and the attacker used the fraudulent SSL certificate issued by DigiNotar.
Heather Adkins, information security manager at Google, said: “Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate. To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue.
“Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.”
Mikko Hypponen, chief research officer at F-Secure, said: “Somehow, somebody managed to get a rogue SSL certificate and this certificate was issued for domain name Google.com. What can you do with such a certificate? Well you can impersonate Google, assuming you can first reroute internet traffic for google.com to you.
“But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com, and maybe Google+ at plus.google.com.”
Hypponen said that he had seen a similar attack in May (via Certificate reseller instantssl.it in Italy) with both cases tied to Iran, so he said that it was likely that the government of Iran is using these techniques to monitor local dissidents.
“Iran does not have its own CA. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Such as Diginotar,” he said.
Also looking at the statement by Vasco on behalf of Diginotar, Hypponen asked why Diginotar revoked the other rogue certificates but missed the one issued to Google.
He said: “Didn't Diginotar think it's a tad weird that Google would suddenly renew their SSL certificate and decide to do it with a mid-sized Dutch CA, of all places? When Diginotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement?”
Chester Wisniewski, senior security advisor at Sophos Canada, said: “Was DigiNotar compromised? Were the perpetrators able to acquire the CA's certificate and sign their own bogus certificate? Or was DigiNotar tricked into signing the certificate for someone pretending to be Google?
“The answer to that question is nearly irrelevant as it is simply more evidence that the current CA infrastructure that we have decided to ‘trust' is totally untrustworthy. It doesn't matter how this happened, it has happened before and unfortunately will happen again.”
In March, hackers gained access to Comodo's certificate generation system to fabricate nine fraudulent credentials for big-name sites like Google, Yahoo, Skype and Microsoft's Hotmail. An independent Iranian hacker claimed responsibility.