Rogue SSL certs were also issued for CIA, MI6, Mossad
The number of rogue SSL certificates issued by Dutch CA DigiNotar has ballooned from one to a couple dozen to over 250 to 531 in just a few days.
As Jacob Appelbaum of the Tor project shared the full list of the rogue certificates, it became clear that fraudulent certificates for domains of a number of intelligence agencies from around the world were also issued during the CA’s compromise – including the CIA, MI6 and Mossad.
Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, WordPress and many others.
He received the list from sources in the Dutch Government, which has retracted its statement about trusting DigiNotar’s PKIoverheid CA branch, announced to its citizens that it cannot guarantee the security of its own websites, and taken over DigiNotar’s operations and immediately organized audits of its infrastructure.
“The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison,” points out Appelbaum. “The attackers also issued certificates in the names of other certificate authorities such as ‘VeriSign Root CA’ and ‘Thawte Root CA’ as we witnessed with ComodoGate, although we cannot determine whether they succeeded in creating any intermediate CA certs.”
“That’s really saying something about the amount of damage a single compromised CA might inflict with poor security practices and regular internet luck,” he concludes. In a previous post, he compared the current state of the Certificate Authority system to a house of cards doused with petrol, waiting for a light.
And while there is a difference of opinion between security experts who speculate about the entity behind the attack, there seems to be an almost universal consensus about the fact that DigiNotar will be closed for business forever after this.
Kaspersky Lab’s Roel Schouwenberg notes that “with some 500 authorities out there globally it’s hard to believe DigiNotar is the only compromised CA out there.”
That’s a chilling thought that probably many an expert has had since the extent of the incident has been revealed. Hopefully, it just might jumpstart the search for a fitting alternative to the CA trust system.