Today the Dutch government released a letter signed by the minister of internal affairs and the minister of security and justice addressed to their house of representatives. The letter has as attachment an interim report by security company Fox-IT's CEO who has been heading an audit at DigiNotar. The report itself is well worth a read [in English]. For those on limited time, some of the most interesting news and observations:
The letter [in Dutch] summarizes the report itself, and contains some additional information not in the report that is of interest:
-- |
Swa 760 Posts Sep 7th 2011 |
Thread locked Subscribe |
Sep 7th 2011 1 decade ago |
A curious aside: The DigiNotar page titled to contain a reference to a page on how to replace their certificates with those of the competition contains incorrect HTML links resulting in "website not found" or similar messages, both on the general press release page http://diginotar.nl/Actueel/tabid/264/articleType/NewsListing/Default.aspx as well as on the details page (containing just the reference) http://diginotar.nl/Actueel/tabid/264/articleType/ArticleView/articleId/331/Default.aspx
Honi soit qui mal y pense! Johan |
jbezem 1 Posts |
Quote |
Sep 6th 2011 1 decade ago |
Swa, you've missed one relevant aspect in my government's letter (I'm embarrased to say I'm from Holland): the ministers have asked Microsoft to postpone updates, for the Netherlands only, that would invalidate DigiNotar certificates (see the top of page 6).
IMHO this is TOTALLY IRRESPONSIBLE. Attackers now have 500+ falsified certificates + private keys and are able to attack end users as well als business/government communications. This needs to be fixed ASAP. If specific institutions fear problems resulting from this update, they should block updates themselves. The same mistake was already made one week ago when my government asked Mozilla to make a similar exception (see the last couple of code lines in https://bugzilla.mozilla.org/show_bug.cgi?id=682927#c58). At that time the rationale was that only once certificate (for *.google.com) had been falsified. They were wrong then. I know Fox-It is a reputable company, but in the rush they could have missed things too: also intermediate certificates under the "Staat der Nederlanden Root CA" and "Staat der Nederlanden Root CA - G2" may have been falsified. Furthermore, my best guess is that the blips *outside of Iran* in http://www.youtube.com/watch?v=_eIbNWUyJWQ (referenced from the Fox-IT report) are the result of DNS attacks. Iranian people using tunnels but *local* DNS would end up, at the end of the tunnel, *returning* to spoofed Google sites in Iran that submit falsified certificates (which could explain the OCSP requests to validation.diginotar.nl from outside of Iran). This seems to imply that it's not the Iranian government who is behind these attacks. IMO the risk is huge that at some point the stolen certificates and private keys will end up in hands of cybercriminals and will be used to attack Dutch PC users. I hope Microsoft ignores this request. |
Erik van Straten 129 Posts |
Quote |
Sep 6th 2011 1 decade ago |
That possible "negligence" is still directly visible to the end-user. As the SSL Labs report shows, the HTTPS configuration of the DigiNotar webserver isn't exactly top-notch:
https://www.ssllabs.com/ssldb/analyze.html?d=www.diginotar.com |
Erik van Straten 5 Posts |
Quote |
Sep 6th 2011 1 decade ago |
Dutch police has now started an investigation.
http://webwereld.nl/nieuws/107837/justitie-stort-zich-op-diginotar.html (in Dutch) |
Erik van Straten 2 Posts |
Quote |
Sep 6th 2011 1 decade ago |
Sorry if old news, found on pastebin:
http://pastebin.com/1AxH30em http://pastebin.com/85WV10EL http://pastebin.com/jhz20PqJ Appears it's Comodohacker at it again. |
Erik van Straten 1 Posts |
Quote |
Sep 7th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!