Hackers have acquired a digital certificate from a certificate authority enabling them to issue fraudulent public key certificate requests to a number of domains, including websites owned by search engine giant Google.
The certificate breach at Dutch certificate authority, DigiNotar, a subsidiary of VASCO Data Security International Inc., gave the cybercriminals the ability to use a rogue SSL certificate to hijack Gmail accounts and spoof secure websites that use SSL and EVSSL digital certificates for security and to prove their legitimacy to users. The breach took place July 19. In a statement issued by VASCO, the company said it thought it had revoked all fraudulent certificates.
“Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time,” the company said. “After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.”
The attack was targeted at the systems DigiNotar uses to issue its digital certificates. The certificate authority is temporarily suspending the sale of its SSL and EVSSL certificates until the conclusion of additional security audits. VASCO said the systems that run its strong authentication business were not affected by the breach. Details of the stolen certificate were posted to a public forum last Saturday.
On Monday Google responded to the rogue certificate, claiming it had disabled the DigiNotar certificate authority in Chrome. The company said the certificate primarily affects people in Iran. Mozilla has also disabled support of the certificate.
“This means Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates,” wrote Heather Adkins, an information security manager at Google in the Google Online Security blog. “To help deter unwanted surveillance, we recommend users, especially those in Iran, keep their Web browsers and operating systems up to date and pay attention to Web browser security warnings.”
Microsoft issued an advisory Monday, announcing it had removed the DigiNotar root certificate from the list of trusted root certificates for users of Windows Vista and Windows 7.
“The certificate potentially affects Internet users attempting to access websites belonging to Google,” wrote Dave Forstrom, director of Microsoft Trustworthy Computing in the Microsoft Security Response Center blog. “A fraudulent certificate may be used to spoof Web content, perform phishing attacks or perform man-in-the-middle attacks against end users.”
Attackers have targeted certificate authorities in the past. In March, hackers stole certificates from Comodo Inc. after they penetrated the systems of one of its partner registration authorities.The breach resulted in nine fraudulent certificates issued to seven Web domains, including search engine giants Google and Yahoo. An Iranian hacker claimed responsibility for stealing the SSL certificates. Comodo said at no time were any Comodo root keys, intermediate CAs or secure hardware compromised.