#DigiNotar given vote of 'no confidence' by internet giants

News by Dan Raywood

Google, Microsoft and Mozilla have all revoked access to any certificates issued by DigiNotar.

Google, Microsoft and Mozilla have all revoked access to any certificates issued by DigiNotar.

Following the incident last week, where the Dutch certificate authority (CA) was hacked and fraudulent SSL certificates were issued, the online giants have now refused to accept any websites with certificates signed by DigiNotar.

Microsoft said that it was ‘in the process of moving all DigiNotar CAs to the Untrusted Root Store which will deny access to any website using DigiNotar CAs'.

Also according to the Register, Google released a new version of its Chrome browser that also adds all DigiNotar certificates to a permanent block list.

Finally a blog by Mozilla said that following an earlier decision to revoke access in the DigiNotar certificates from all Mozilla software, it said that this was not a temporary suspension and it was ‘a complete removal from our trusted root program'.

Johnathan Nightingale, director of Firefox Engineering at Mozilla, said that ‘complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort' and three central issues informed its decision: failure to notify; the scope of the breach remains unknown; and the attack is not theoretical.

Nightingale said: “DigiNotar detected and revoked some of the fraudulent certificates six weeks ago without notifying Mozilla. This is particularly troubling since some of the certificates were issued for our own addons.mozilla.org domain.

“While we were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains.

“We now know that the attackers also issued certificates from another of DigiNotar's intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.” He also confirmed that Mozilla had received multiple reports of these fraudulent certificates being used in the wild.

He also said that with the Comodo incident, it reported to Mozilla immediately, while it has no confidence that the problem had been contained in DigiNotar's case. “Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches,” he said.

“The integrity of the SSL system cannot be maintained in secrecy. Incidents like this one demonstrate the need for active, immediate and comprehensive communication between CAs and software vendors to keep our collective users safe online.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews