DigiNotar audit - intermediate report available

Published: 2011-09-06
Last Updated: 2011-09-07 18:57:53 UTC
by Swa Frantzen (Version: 1)
5 comment(s)

Today the Dutch government released a letter signed by the minister of internal affairs and the minister of security and justice addressed to their house of representatives. The letter has as attachment an interim report by security company Fox-IT's CEO who has been heading an audit at DigiNotar.

The report itself is well worth a read [in English].

For those on limited time, some of the most interesting news and observations:

  • The defaced pages dating back to 2009 found by F-secure appear to have been copied during a re-installation of the  web server in August.
  • The OCSP server's working at DigiNotar has been reversed since Sept 1st. Normally these servers respond with good to all certificates except those on the CRL (a blocklist). The OCSP now operates in whitelist mode: it will call all unknown certificates signed by DigiNotar as revoked (a whitelist).
    Hence we need to make sure to use the OCSP server to validate DigiNotar certificates -should we want/need to- and not rely on the published CRLs anymore.
  • DigiNotar operates multiple CA servers, all of them seem to have been compromised by the hackers and having had Administrator level access, including those used for Qualified certificates and PKIOverheid certificates.
  • Some of the CA servers have had parts of their logs deleted, leading to DigiNotar not knowing what certificates were issued.
  • Hacker tools including Cain&Abel as well as specialized dedicated scripts -written in a language specific to the PKI environment- were found. Intentional fingerprints left in one of the scripts links it back to the Comodo breach.
  • There is a list of 6 CAs that have been found to have emitted rogue certificates
  • There is an incomplete list of 24 additional CAs that have had their security compromised but have not shown to have emitted rogue certificates
  • The rogue certificate for *.google.com detected in the wild was verified against the DigiNotar OCSP service from August 4th till it was revoked on August 29th. 300 000 different IP addresses verified that certificate.  More than 99% of those addresses trace back to Iran.
    The report notes that those who had their connections to gmail intercepted could have exposed their authentication cookies and that would expose their email itself, and through that also allow access to reset functionality of other services such as e.g. facebook.  It is recommended that those in Iran logout and change passwords.
  • 2 certificates were found on the PKIOverheid and Qualified environment that cannot be related to a valid certificate.Yet the logs appear to be intact and do not show rogue certificates created.
  • There is a list of failures of basic best security practices that have clearly not worked, implemented badly or were omitted. Yet the servers are housed in a tempest protected room.
  • The hackers breached the systems possible June 6th already, this got detected by DigiNotar on June 19th, The rogue certificates were created in July and the first time the *.google.com certificate that was detected in the wild was presented on July 27th to the OCSP server. Yet it took till DigiNotar was notified by govCERT.nl before they revoked the certificate.

The letter [in Dutch] summarizes the report itself, and contains some additional information not in the report that is of interest:

  • There is now an inquiry into DigiNotar for possible responsibility and negligence
  • The search for the hackers continues
  • DigiNotar filed an official reported the incident on September 5th
  • They suggest leniency and agreements for those cases where the revocation of trust in DigiNotar leads to problems such as with the timely filing of tax information in the Netherlands

Swa Frantzen -- Section 66

5 comment(s)


A curious aside: The DigiNotar page titled to contain a reference to a page on how to replace their certificates with those of the competition contains incorrect HTML links resulting in "website not found" or similar messages, both on the general press release page http://diginotar.nl/Actueel/tabid/264/articleType/NewsListing/Default.aspx as well as on the details page (containing just the reference) http://diginotar.nl/Actueel/tabid/264/articleType/ArticleView/articleId/331/Default.aspx
Honi soit qui mal y pense!

Swa, you've missed one relevant aspect in my government's letter (I'm embarrased to say I'm from Holland): the ministers have asked Microsoft to postpone updates, for the Netherlands only, that would invalidate DigiNotar certificates (see the top of page 6).

IMHO this is TOTALLY IRRESPONSIBLE. Attackers now have 500+ falsified certificates + private keys and are able to attack end users as well als business/government communications. This needs to be fixed ASAP. If specific institutions fear problems resulting from this update, they should block updates themselves.

The same mistake was already made one week ago when my government asked Mozilla to make a similar exception (see the last couple of code lines in https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c58). At that time the rationale was that only once certificate (for *.google.com) had been falsified. They were wrong then. I know Fox-It is a reputable company, but in the rush they could have missed things too: also intermediate certificates under the "Staat der Nederlanden Root CA" and "Staat der Nederlanden Root CA - G2" may have been falsified.

Furthermore, my best guess is that the blips *outside of Iran* in http://www.youtube.com/watch?v=_eIbNWUyJWQ (referenced from the Fox-IT report) are the result of DNS attacks. Iranian people using tunnels but *local* DNS would end up, at the end of the tunnel, *returning* to spoofed Google sites in Iran that submit falsified certificates (which could explain the OCSP requests to validation.diginotar.nl from outside of Iran).

This seems to imply that it's not the Iranian government who is behind these attacks. IMO the risk is huge that at some point the stolen certificates and private keys will end up in hands of cybercriminals and will be used to attack Dutch PC users. I hope Microsoft ignores this request.
That possible "negligence" is still directly visible to the end-user. As the SSL Labs report shows, the HTTPS configuration of the DigiNotar webserver isn't exactly top-notch:

Dutch police has now started an investigation.
(in Dutch)
Sorry if old news, found on pastebin:

Appears it's Comodohacker at it again.

Diary Archives