The extent of the breach at Dutch certificate authority, DigiNotar, has broadened this week after an audit report analyzing DigiNotar’s servers released by the Dutch government showed major security lapses in the firms various CA servers.
Organizations need to understand what they should do if their SSL VPN would break for their users or if their e-commerce system would falter with their customers.
Chester Wisniewski, senior security advisor, Sophos LLC
The report, prepared by IT security firm Fox-IT, found the DigiNotar network had been “severely breached” compromising more than two dozen CA servers. The extent of the damage increased substantially, with evidence of CA servers that issued hundreds of signed rogue certificates against 20 different domains.
Some experts said the seriousness of the breach shines a light on the problems that plague the certificate system. Chester Wisniewski, a senior security advisor at UK-based security vendor Sophos LLC, said enterprise CISOs need to understand how their organization uses SSL certificates and come up with a contingency plan in the event the certificate provider being used is breached. In addition to SSL use in browsers to verify the authenticity of a website, many enterprises use digital certificates to authenticate users for SSL VPNs and email servers.
“Organizations need to understand what they should do if their SSL VPN would break for their users or if their e-commerce system would falter with their customers,” Wisniewski said. “Ask yourself: ‘Is there an alternative plan?’”
Organizations can obtain certificates from multiple certificate authorities to have a back-up plan for website validation if a CA is breached, he said. Alternatives to the current digital certificate system are being tested, but until Google, Microsoft and Mozilla begin to support alternative authenticity validation systems, the system is unlikely to change.
Instead, browser makers take action by blocking rogue certificates when they become publicly known. The Fox-IT report has prompted those browser makers to blacklist DigiNotar certificates. Microsoft updated its security advisory Tuesday, pushing out an automatic update to all supported versions of Windows, revoking the trust in DigiNotar root certificates. The company said it made the move to protect users of Internet Explorer from man-in-the-middle attacks. Rogue digital certificates also enable attackers to spoof content and perform phishing attacks.
“We’ve deemed all DigiNotar certificates to be untrustworthy and have moved them to the Untrusted Certificate Store,” wrote Dave Forstrom, director of Microsoft Trustworthy Computing in the Microsoft Security Response Center blog. “We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments and software vendors to help protect our mutual customers.”
Microsoft is waiting a week before rolling out an automatic update to users in the Netherlands. Mozilla and Google have taken similar steps to block the rogue digital certificates.
“This is not a temporary suspension, it is a complete removal from our trusted root program,” wrote Jonathan Nightingale, director of Firefox engineering in the Mozilla Security blog.”Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.”
Nightingale said the complete removal of the trusted root was taken because the scope of the breach remains unknown. In addition, DigiNotar revoked fraudulent certificates without notifying Mozilla.
In an update issued Sept. 3, Google said it is rejecting all Certificate Authorities operated by DigiNotar. “We encourage DigiNotar to provide a complete analysis of the situation,” wrote Heather Adkins, Google’s information security manager.
The Fox-IT report, which was released by the Dutch government, found serious problems with DigiNotar’s network.
All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination,” according to the DigiNotar breach report, which was made available on the Dutch government website Rijksoverheid. “The password was not very strong and could easily be brute-forced.”
In addition, the audit investigation found outdated software installed on the DigiNotar public Web servers. No antivirus protection was present on the investigated servers, Fox-IT said.
Traces of hacker activity, believed to have emanated from Iran, began June 19 and lasted until July 22. The attackers issued hundreds of rogue certificates, including an SSL certificate for Google, Skype, Mozilla add-ons, Microsoft update and others.
DigiNotar revoked the certificates and has added security measures on infrastructure, system monitoring and Online Certificate Status Protocol (OCSP) validation to identify the use of rogue certificates and prevent further attacks.
The security measures may have been too late. The report suggests the attackers used the stolen Google SSL certificate to snoop on users of Gmail in Iran. Log data analysis found 300,000 unique IP requests to Google.com with 99% originating from Iran, according to the report.
In a statement, VASCO Data Security International Inc., which owns DigiNotar, said it would fully cooperate with authorities and welcomed a full review of its systems by the Dutch government. As part of its proposal, VASCO invites the Dutch Government to send staff to work together to jointly assess and remedy the problem.