This week saw the much-maligned Dutch certificate authority (CA) DigiNotar declared bankrupt by the Haarlem district court.
As revealed by SC magazine, DigiNotar's parent, Vasco Data Security, said a bankruptcy trustee and judge have been appointed to manage all of its affairs. The problems started for DigiNotar this summer when its infrastructure was hacked by the ‘Comodo hacker' Sun Ich, who was able to sign SSL certificates for legitimate websites.
This led to a flurry of media reports in late August, followed by a number of browser providers, including Google, Mozilla, Microsoft and Apple, revoking access to DigiNotar-signed certificates.
With none of the major browsers prepared to accept DigiNotar's certificates, it left the company in limbo before this week's announcement. In July, Vasco said that having discovered the incident, it conducted an external security audit which concluded that all fraudulently issued certificates had been revoked.
However, one certificate had not been accounted for; it was signed for Google and, after being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.
So the question here is: did a combination of a hacking and bad press lead to the downfall of DigiNotar? Mikko Hypponen, chief research officer at F-Secure, said this was "a very clear case where a company folded because it was hacked". He pointed to Australian hosting provider Distribute.IT, which folded after being hacked; ISP Cloud 9 Communications, which folded after prolonged denial-of-service attacks in 2002; and anti-spam provider Blue Frog, which also went out of business.
Hypponen said: “So does getting hacked always equal going out of business? Well, no, not always. Sony's PlayStation Network was severely hacked earlier this year, but they're still in business.
“So what's the difference between Sony and these other guys? Well size and notoriety for one thing. Sony was so publicly humiliated that public opinion actually turned against the hackers and gave Sony PSN some time to recover its footing.
"DigiNotar, Distribute.IT, Cloud 9 and Blue Frog weren't big enough for all the details to come out during their troubles and they failed to win public opinion (trust) as a result, and then they suffered the consequences.”
The issue here then is one of trust. David Harley, chief executive of Small Blue-Green World, told SC magazine that for DigiNotar, the hack and bad press were nails in the coffin, but both were symptomatic of a breakdown in trust.
He said: “To some extent, most businesses are dependent on their customers' perception of trustworthiness and loss of that trust can bring a business to its knees. Take an example from outside this field: Gerald Ratner killed his brand, if not the business, by describing his product as ‘total crap'. While there might have been an element of ‘I'm not buying from a company that doesn't respect my taste' in the subsequent debacle, it was probably primarily about ‘if the CEO doesn't believe in its value, why should I?'.
"Heartland and TK Maxx survived without even having to change their brand. But in these cases, the primary product or service isn't based on trust, even though trustworthiness is seriously important to the sustainability of the service. In the case of DigiNotar, the product is trust. It is ‘you can trust this site because we say you can'.”
However, Harley denied that this is a tipping point where it becomes possible to kill a company by hacking it –that has always been the case in the lifetime of the internet and before, and this is a slightly different problem.
As part of the Microsoft patch that revoked trust in DigiNotar certificates, it was claimed that certificates that were cross-signed by Entrust and GTE were added. I caught up with Entrust this week, and vice president of certificate services David Rockvam said an agreement was signed in 2007 to cross-certify certificates, but this expired in 2010.
President and CEO of Entrust, F. William Conner, said: “If you are a CEO in security you have a duty of care. This happened in July but nothing was said until late August; there are contractual agreements and they have a duty of care to say what happened and to take action because this is significant.
“If you are in Iran and using Google, then it is possible that all of your information is exposed. Where is the duty of care to protect your customers?”
The future for DigiNotar does not look completely bleak; Vasco president and COO Jan Valcke said it expects to integrate DigiNotar's PKI/identity verification technology into its core authentication platform.
Harley commented that this is similar to Sellafield being renamed Windscale or Ratner's to Signet, but while rebranding to provide damage limitation is not intrinsically wrong or unethical, it can be ineffective.
What this has proved is that hacking can create more than a major headache for companies and that the certificate authority structure can count itself among the other high-level online infrastructures that have been proved to be vulnerable.
So as we say farewell to DigiNotar, we should remember that the person behind the hack has claimed that he has access to four other CAs. Perhaps it is time to take these threats more seriously.