Microsoft Judges DigiNotar SSL Certificates 'Untrustworthy'4:32 PM EST Wed. Sep. 07, 2011
Microsoft has decided all DigiNotar certificates are untrustworthy, and is migrating the compromised SSL certificates to Windows' block list, called the Untrusted Certificate Store .
The move essentially blocks all Windows computers from accepting the Dutch certificate authority’s SSL certificates.
In addition, Redmond also extended support for customers using Windows XP, Windows Server 2003 and all Windows supported third party applications, protecting all Windows systems against possible exploits resulting from the SSL hack.
Microsoft’s Tuesday update revokes the trust of DigiNotar root certificates , which include DigiNotar Root CA, DigiNotar Root CA G2, DigiNotar PkIoverheid CA Overheid, DigiNotar PKIoveheid CA Organisate-G2, and DigiNotar PKIoverheid CA Overheid en Bedrijven.
“We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments and software vendors to help protect our mutual customers,” Microsoft said in a blog post Tuesday.
DigiNotar announced last week that it experienced a massive SSL hack that had compromised certificates for a wide swath of domains, including Google.com.
The Dutch certificate authority set about revoking hundreds of the fraudulent SSL certificates. However, others apparently fell through the cracks when DigiNotar said last week that it had overlooked SSL certificates for Google.com, as well as Mozilla, and Microsoft and others, in an attack appearing to be sourced from Iran.
An independent audit commissioned by the Dutch government, conducted by security firm Fox-IT, revealed that the Google accounts of around 300,000 Iranians had been compromised by the SSL hack , in what some suspect was an Iranian government attempt to spy on its citizen’s web activities, according to the report.
Cyber criminals who hack into digital certificates could impersonate legitimate domains such as Google.com and redirect traffic to the bogus sites in order to spy on Web activities or steal login credentials, credit cards or other personal information that the victims entered.
News of the widespread SSL certificate compromise prompted high-profile customers such as Google, Microsoft and Mozilla to blacklist hundreds of DigiNotar-issued SSL certificates last week.
And security researchers contend that the fallout manifested by a mass customer blacklisting likely spelled the beginning of the end for the Dutch CA.
“It’s game over for DigiNotar,” said Andrew Storms, director of security operations at security firm nCircle, in an e-mail. “Very soon they will officially no longer be a valid entity to issue certificates.”
The hack could have far-reaching implications for the Netherlands. The Dutch government publicly announced Tuesday that DigiNotar’s certificates were not to be trusted and expanded an investigation in order to determine if the hack had compromised the country’s citizens when they were filing income taxes online.
Among its myriad of customers, DigiNotar provided SSL services for DigiD, a Dutch government site that enabled citizens to access a slew of online services, including filing taxes, registering for universities and donating organs.
Meanwhile, Microsoft said that it would not extend the update to Dutch users for at least a week—a delay that could potentially give the Dutch government enough time to update their web sites, Storms said.
NEXT: Implications Of SSL Hack Severe For Dutch Government
"The problem for the Dutch online infrastructure is very serious,” Storms said. “I’m sure the Dutch government is learning a hard, but important lesson from this ongoing-fiasco. Trusting DigiNotar’s critical online infrastructure role without spending the time to independently audit their operations has undoubtedly cost the Dutch government a lot of time and money. It has certainly caused a great deal of international embarrassment.”
Meanwhile, DigiNotar doesn’t appear to be the only compromised CA. An Iranian hacker known as ComodoHacker, responsible for SSL hacks against DigiNotar and certificate authority Comodo earlier this year, posted a message on pastebin.com also claiming to have accessed four other CAs, including GlobalSign.
“I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification,” ComodoHacker said in the blog post .
The admission compelled the U.K.-based certificate authority GlobalSign to temporarily cease issuing SSL certificates while it launched an investigation. The CA enlisted the help of DigiNotar security auditor Fox-IT to determine the validity of ComodoHacker’s claims and the extent, if any, of the compromise.
“GlobalSign takes this claim very seriously and is currently investigating,” GlobalSign said in a blog post Tuesday. “As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible. We apologize for any inconvenience.”