DigiNotar
VASCO Data Security International, Inc. in 2010; declared bankrupt in 2011 | |
Headquarters | , |
---|---|
Products | Public key certificates |
Services | Certificate authority |
Owner | VASCO Data Security International |
Website | Archived April 27, 2008, at the Wayback Machine |
DigiNotar was a Dutch
Overview
On September 3, 2011, after it had become clear that a security breach had resulted in the
An investigation into the hacking by Dutch-government appointed Fox-IT consultancy identified 300,000
After more than 500 fake DigiNotar certificates were found, major web browser makers reacted by blacklisting all DigiNotar certificates.[10] The scale of the incident was used by some organizations like
Company
DigiNotar's main activity was as a
DigiNotar's root certificates were removed from the trusted-root lists of all major web browsers and consumer operating systems on or around August 29, 2011;[16][17][18] the "Staat der Nederlanden" roots were initially kept because they were not believed to be compromised. However, they have since been revoked.
History
DigiNotar was originally set up in 1998 by the Dutch notary Dick Batenburg from Beverwijk and the Koninklijke Notariële Beroepsorganisatie , the national body for Dutch civil law notaries. The KNB offers all kind of central services to the notaries, and because many of the services that notaries offer are official legal procedures, security in communications is important. The KNB offered advisory services to their members on how to implement electronic services in their business; one of these activities was offering secure certificates.
Dick Batenburg and the KNB formed the group TTP Notarissen (TTP Notaries), where TTP stands for trusted third party. A notary can become a member of TTP Notarissen if they comply with certain rules. If they comply with additional rules on training and work procedures, they can become an accredited TTP Notary.[19]
Although DigiNotar had been a general-purpose CA for several years, they still targeted the market for notaries and other professionals.
On January 10, 2011, the company was sold to VASCO Data Security International.[1] In a VASCO press release dated June 20, 2011, one day after DigiNotar first detected an incident on their systems[20] VASCO's president and COO Jan Valcke is quoted as stating "We believe that DigiNotar's certificates are among the most reliable in the field."[21]
Bankruptcy
On September 20, 2011, Vasco announced that its subsidiary DigiNotar was declared bankrupt after filing for
Refusal to publish report
This section needs additional citations for verification. (April 2017) |
The curator (court-appointed receiver) didn't want the report from ITSec to be published, as it might lead to additional claims towards DigiNotar.[citation needed] The report covered the way the company operated and details of the hack of 2011 that led to its bankruptcy.[citation needed]
The report was made on request of the Dutch supervisory agency OPTA who refused to publish the report in the first place. In a freedom of information (Wet openbaarheid van bestuur ) procedure started by a journalist, the receiver tried to convince the court not to allow publication of this report, and to confirm the OPTA's initial refusal to do so.[23]
The report was ordered to be released, and was made public in October 2012. It shows a near total compromise of the systems.
Issuance of fraudulent certificates
On July 10, 2011, an attacker with access to DigiNotar's systems issued a
After this certificate was found, DigiNotar belatedly admitted dozens of fraudulent certificates had been created, including certificates for the domains of
In reaction, Mozilla revoked trust in the DigiNotar root certificate in all supported versions of its
DigiNotar also controlled an intermediate certificate which was used for issuing certificates as part of the
Steps taken by the Dutch government
After the initial claim that the certificates under the DigiNotar-controlled intermediate certificate in the PKIoverheid hierarchy weren't affected, further investigation by an external party, the Fox-IT consultancy, showed evidence of hacker activity on those machines as well. Consequently, the Dutch government decided on September 3, 2011, to withdraw their earlier statement that nothing was wrong.[51] (The Fox-IT investigators dubbed the incident "Operation Black Tulip".[52]) The Fox-IT report identified 300,000 Iranian Gmail accounts as the main victims of the hack.[6]
DigiNotar was only one of the available CAs in PKIoverheid, so not all certificates used by the Dutch government under their root were affected. When the Dutch government decided that they had lost their trust in DigiNotar, they took back control over the company's intermediate certificate in order to manage an orderly transition, and they replaced the untrusted certificates with new ones from one of the other providers.[51] The much-used DigiD platform now[when?] uses a certificate issued by Getronics PinkRoccade Nederland B.V.[53] According to the Dutch government, DigiNotar gave them its full co-operation with these procedures.
After the removal of trust in DigiNotar, there are now[when?] four Certification Service Providers (CSP) that can issue certificates under the PKIoverheid hierarchy:[54]
All four companies have opened special help desks and/or published information on their websites as to how organisations that have a PKIoverheid certificate from DigiNotar can request a new certificate from one of the remaining four providers.[55][56][57][58]
See also
- Comodo Cybersecurity § Certificate hacking
- Operation Shady RAT
- PLA Unit 61398
- Stuxnet
- Tailored Access Operations
References
- ^ a b "VASCO Data Security International, Inc. announces the acquisition of DigiNotar B.V., a market leader in Internet trust services in the Netherlands" (Press release). VASCO. January 10, 2011. Archived from the original on September 17, 2011. Retrieved August 31, 2011.
- ISSN 1944-0464.
- ^ Website Govcert Factsheet discovery fraudulent certificates Archived October 8, 2011, at the Wayback Machine. Retrieved September 6, 2011.
- ^ a b "VASCO Announces Bankruptcy Filing by DigiNotar B.V." (Press release). VASCO Data Security International. September 20, 2011. Archived from the original on September 23, 2011. Retrieved September 20, 2011.
- ISSN 1091-2339. Retrieved June 30, 2023.
- ^ a b Gregg Keizer (September 6, 2011). "Hackers spied on 300,000 Iranians using fake Google certificate". Computerworld. Archived from the original on February 2, 2014. Retrieved January 24, 2014.
- ^ "New NSA Leak Shows Man-In-The-Middle Attacks Against Major Internet Services". September 13, 2013. Archived from the original on September 20, 2013. Retrieved September 14, 2013.
- ^ Rouwhorst, Koen (September 14, 2013). "No, the NSA was not behind the DigiNotar hack". Archived from the original on November 20, 2013. Retrieved November 19, 2013.
- ^ "Comodo hacker claims credit for DigiNotar attack". PC World Australia. September 6, 2011. Archived from the original on February 2, 2014. Retrieved January 24, 2014.
- ^ Bright, Peter (September 6, 2011). "Comodo hacker: I hacked DigiNotar too; other CAs breached". Ars Technica. Archived from the original on April 17, 2012. Retrieved April 29, 2019.
- ^ "Operation Black Tulip: Certificate authorities lose authority". www.enisa.europa.eu. Archived from the original on April 22, 2014. Retrieved January 24, 2014.
- ^ "The weakest link in the chain: Vulnerabilities in the SSL certificate authority system and what should be done about them. An Access Policy Brief Regarding the Consequences of the DigiNotar breach for Civil Society and Commercial Enterprise" (PDF). Archived (PDF) from the original on October 6, 2018. Retrieved February 20, 2019.
- ^ "Overzicht actuele rootcertificaten" [Survey of current root certificates] (in Dutch). DigiNotar. Archived from the original on August 31, 2011. Retrieved September 12, 2011.
- ^ "Entrust in relation with Diginotar". Ssl.entrust.net. September 14, 2011. Archived from the original on April 2, 2012. Retrieved February 1, 2012.
- ^ A print screen of a Diginotar certificate under the Entrust chain
- ^ "Microsoft Security Advisory 2607712". technet.microsoft.com. Archived from the original on June 10, 2016. Retrieved June 16, 2016.
- ^ "An update on attempted man-in-the-middle attacks". Google Online Security Blog. Archived from the original on June 10, 2016. Retrieved June 16, 2016.
- ^ "Fraudulent *.google.com Certificate". Mozilla Security Blog. Archived from the original on May 25, 2022. Retrieved June 16, 2016.
- ^ Website Diginotar on TTP Notarissen Archived August 31, 2011, at the Wayback Machine.
- ^ FOX-IT Interim Report, v1.0 Archived April 21, 2015, at the Wayback Machine (but before any certificates were misissued), Timeline, page 13. Retrieved September 5, 2011.
- ^ "VASCO Tackles Global SSL-Certificate Market". MarketWatch. June 20, 2011.
- ^ Pressrelease Court of Haarlem on DigiNotar Archived September 24, 2011, at the Wayback Machine, 20 September 2011. Retrieved September 27, 2011.
- ^ Newssite nu.nl: Receiver afraid of more claims Archived June 30, 2012, at the Wayback Machine (Dutch), 22 June 2012. Visited: 25 June 2012.
- ^ a b Heather Adkins (August 29, 2011). "An update on attempted man-in-the-middle attacks". Archived from the original on September 13, 2011. Retrieved August 30, 2011.
- ^ Elinor Mills. "Fraudulent Google certificate points to Internet attack". Archived October 8, 2011, at the Wayback Machine CNET, 8/29/2011.
- ^ Charles Arthur (August 30, 2011). "Faked web certificate could have been used to attack Iran dissidents". The Guardian. Archived from the original on August 26, 2017. Retrieved August 30, 2011.
- ^ "Fraudulent certificate triggers blocking from software companies". Heise Media UK Ltd. August 30, 2011. Archived from the original on April 28, 2012.
- ^ "DigiNotar reports security incident". VASCO Data Security International. August 30, 2011. Archived from the original on August 31, 2011. Retrieved September 1, 2011.
- ^ "Mogelijk nepsoftware verspreid naast aftappen Gmail". Sanoma Media Netherlands groep. August 31, 2011. Archived from the original on December 4, 2011. Retrieved August 31, 2011.
- ^ a b "DigiNotar: mogelijk nog valse certificaten in omloop". IDG Nederland. August 31, 2011. Archived from the original on February 10, 2012. Retrieved August 31, 2011.
- ^ Keizer, Gregg (August 31, 2011). "Hackers may have stolen over 200 SSL certificates". F-Secure. Archived from the original on September 3, 2011. Retrieved September 1, 2011.
- ^ Markham, Gervase (September 4, 2011). "Updated DigiNotar CN List". Archived from the original on October 21, 2011. Retrieved September 20, 2011.
- ^ Hypponen, Mikko (August 30, 2011). "DigiNotar Hacked by Black.Spook and Iranian Hackers". Archived from the original on September 25, 2011. Retrieved August 31, 2011.
- ^ "Fraudulent Digital Certificates Could Allow Spoofing". Microsoft Security Advisory (2607712). Microsoft. August 29, 2011. Retrieved August 30, 2011.
- ^ Johnathan Nightingale (August 29, 2011). "Fraudulent *.google.com Certificate". Mozilla Security Blog. Mozilla. Archived from the original on September 21, 2011. Retrieved August 30, 2011.
- ^ "What The DigiNotar Security Breach Means For Qt Users". MeeGo Experts. September 10, 2011. Archived from the original on March 24, 2012. Retrieved September 13, 2011.
- ^ "Opera 11.51 released". Opera Software. August 30, 2011. Archived from the original on October 5, 2011. Retrieved September 1, 2011.
- ^ Vik, Sigbjørn (August 30, 2011). "When Certificate Authorities are Hacked". Opera Software. Archived from the original on October 8, 2011. Retrieved September 1, 2011.
- ^ "DigiNotar Second Step: Blacklisting the Root". Opera Software. September 8, 2011. Archived from the original on November 11, 2011. Retrieved September 20, 2011.
- ^ "About Security Update 2011-005". Apple. September 9, 2011. Archived from the original on September 25, 2011. Retrieved September 9, 2011.
- ^ "Safari users still susceptible to attacks using fake DigiNotar certs". Ars Technica. September 1, 2011. Archived from the original on October 12, 2011. Retrieved September 1, 2011.
- ^ "About the security content of iOS 5 Software Update". Apple. October 13, 2011. Archived from the original on February 5, 2009. Retrieved October 13, 2014.
- ^ a b Johnathan Nightingale (September 2, 2011). "DigiNotar Removal Follow Up". Mozilla Security Blog. Archived from the original on September 21, 2011. Retrieved September 4, 2011.
- Tweakers.net (in Dutch). Archivedfrom the original on September 28, 2011. Retrieved August 30, 2011.
- ^ "Frauduleus uitgegeven beveiligingscertificaat". August 30, 2011. Archived from the original on October 6, 2011. Retrieved August 31, 2011.
- ^ Schellevis, Joost (August 31, 2011). "Overheid vertrouwt blunderende ssl-autoriteit". Tweakers.net (in Dutch). Archived from the original on September 28, 2011. Retrieved August 31, 2011.
- ^ Schellevis, Joost (August 31, 2011). "Firefox vertrouwt DigiD toch na verzoek Nederlandse overheid". Tweakers.net (in Dutch). Archived from the original on September 28, 2011. Retrieved August 31, 2011.
- ^ "Bugzilla@Mozilla – Bug 683449 - Remove the exemptions for the Staat der Nederlanden root". Archived from the original on May 2, 2012. Retrieved September 5, 2011.
- ^ Gervase Markham (September 3, 2011). "DigiNotar Compromise". Archived from the original on September 25, 2011. Retrieved September 3, 2011.
- ^ "Security of Dutch government websites in jeopardy". Radio Netherlands Worldwide. September 3, 2011. Archived from the original on September 27, 2011. Retrieved September 3, 2011.
- ^ a b Newsrelease Dutch Government: Overheid zegt vertrouwen in de certificaten van Diginotar op Archived October 17, 2011, at the Wayback Machine, September 3, 2011. Retrieved September 5, 2011.
- ^ Charette, Robert (September 9, 2011). "DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands - IEEE Spectrum". Spectrum.ieee.org. Archived from the original on February 3, 2014. Retrieved January 24, 2014.
- ^ See certificate on Request DigiD account[permanent dead link]. Retrieved September 5, 2011.
- ^ Website Logius:Replacing Certificates. Retrieved September 5, 2011.
- ^ a b "PKIoverheid SSL". Archived from the original on July 12, 2012.
- ^ a b PKIOverheids certificates Archived October 10, 2011, at the Wayback Machine. Retrieved September 5, 2011.
- ^ a b Website Dutch office of Quovadis on PKIOverheid Archived October 10, 2011, at the Wayback Machine. Retrieved September 5, 2011.
- ^ Website Getronics on Requesting PKIOverheid certificate Archived October 10, 2011, at archive.today. Retrieved September 5, 2011.
Further reading
- Fox-IT (August 2012). Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach.
External links
- Official website (English, not mentioning the bankruptcy)
- Official website (Dutch, mentioning the bankruptcy)
- Fraudulent Certificates ‐ List of Common Names Archived October 18, 2011, at the Wayback Machine
- DigiNotar reports security incident
- Pastebin posts:
- Mozilla Foundation Security Advisory 2011-34: Protection against fraudulent DigiNotar certificates
- Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing
- DigiNotar Compromise - Mozilla's Gervase Markham's account of how and why Mozilla blacklisted DigiNotar.
- Johnathan Nightingale (September 2, 2011). "DigiNotar Removal Follow Up". Mozilla Security Blog. Retrieved September 4, 2011. Account by the Director of Firefox Engineering at the Mozilla Corporation of why Mozilla's removal of DigiNotar from the trusted list is not a temporary suspension, but a complete revocation of trust.
- Video on YouTube by Fox-IT, showing the subsequent OCSPrequests by Iranian users of DigiNotar certificates (likely attacks).