Google One of Many Victims in SSL Certificate Hack
By Jeremy Kirk
A Dutch company that issues digital certificates used to authenticate websites said late Tuesday that several dozen other websites in addition to Google have been affected by a security breach.
The company, DigiNotar, issues SSL (Secure Sockets Layer) and EVSSL (Extended Validation) certificates, which are validated by Web browsers to ensure people are not visiting a fake website that is trying to appear legitimate.
DigiNotar is what’s called a Certificate Authority (CA), an entity that sells digital certificates to legitimate website owners. But DigiNotar issued a digital certificate for the google.com domain, a mistake that could allow a skilled attacker to intercept someone’s e-mail.
Google said Monday the fraudulent certificate was used and targeted users in Iran, although a security feature in its Chrome browser detected the certificate, tipping off users with a warning.
DigiNotar, a subsidiary of a security company called Vasco Data Security International, issued a statement on Monday saying it discovered on July 19 during an audit that its infrastructure used to issue the certificates had been breached.
In an interview late Tuesday afternoon, Jochem Binst, corporate communications director for Vasco, said that the attackers created fraudulent certificates for “several dozen” websites. Most were revoked after their discovery, he said.
But the digital certificate for google.com — which was issued July 10 — only went live on Sunday, Binst said. In its statement, Vasco said that it was notified by the Dutch Computer Emergency Response Team that it had not been revoked yet. It was finally revoked on Monday, Binst said.
It’s not known how attackers breached DigiNotar’s certificate-issuing infrastructure or how long they had access, but an audit is under way. “We are in the course of doing an extra audit and those findings will probably be known by the end of the week,” Binst said.
DigiNotar is halting sales of digital certificates as it investigates, Binst said. DigiNotar primarily sells its digital certificates to businesses in the Netherlands.
Those businesses will have a hard time over the next few days. Google, Mozilla and Microsoft have revoked or are in the process of revoking DigiNotar’s authority to vouch for its certificates. That means that people who go to websites using those certificates will likely see a warning saying the website is untrusted and should not be accessed.
Binst said DigiNotar is contacting its customers. One option to fix the problem is to have those websites switch over certificates issued by the Dutch government, although he could not say which agency would issue those replacement certificates. Another option, Binst said, is to approach the browser makers to make technical changes to honor its certificates.
Binst could not say how many customers DigiNotar has for its digital certificates, but Vasco said in its statement that the subsidiary’s revenue from issuing digital certificates was less than €100,000 (US$144,000) for the first six months of this year.
Send news tips and comments to firstname.lastname@example.org