A recent cyber attack against SSL provider DigiNotar has left Google, Mozilla and an untold number of domains scrambling to blacklist the rogue certificates that have jeopardized the security of their networks.
The incident has undermined trust in the SSL process, but channel partners say it could bolster security standards for partnering certification authorities [CAs], while reinforcing the need for alternative failsafe mechanisms, including vulnerability scans.
Channel partners say that the DigiNotar hack has weakened the sense of security users have in SSL certification.
“If you can’t trust the trusted authority, who in the cloud can I trust? If the trusted authority can’t do enough, then how do we rely on anyone else?” asked David Sockol, president of Emagined Security, a security solution provider based in Santa Clara, Calif. “The biggest lesson learned? We can’t really trust anyone, including ourselves, and we need checks and balances.”
The SSL issue began July 19, when Swiss certification authority DigiNotar, a subsidiary of VASCO Data Security International, discovered that it had issued compromised certificates for a wide swath of domains, including Google.com.
Upon discovering the rogue certificates, DigiNotar revoked the certifications and “acted in accordance with all relevant rules and procedures,” the company said in a press release.
However, one certificate apparently fell through the cracks when DigiNotar said earlier this week said it had failed to revoke at least one fraudulent certificate used in an attack believed to be perpetrated by hackers to target victims in Iran, prompting the company to suspend its sale of SSL and EVSSL certificates.
DigiNotar said in a statement Tuesday that the July attack resulted in “the fraudulent issuance of public key certificate request for a number of domains, including Google.com,” although the company failed to mention other affected companies by name or the number that were impacted. However, DigiNotar’s certificate revocation list shows that the company recalled more than 100 of its certificates over the last two months.
Certification authorities, or CAs, digitally sign Web pages, which provides a trusted symbol authenticating online property protected by secure socket layer, or SSL. Cyber criminals who obtain the encryption keys are able to execute attacks on users by taking control of the affected pages and all of the content that is entered on them, for spoofing and man-in-the-middle assaults.
Meanwhile, the consequences are currently unraveling for affected customers. Earlier this week, security researchers discovered phony Web certificate for Google.com circulating on the Internet, which enabled attackers to access the cryptographic keys in order to forge Gmail, Google Docs and possibly dozens to hundreds of other Google applications.
“The hackers are really sophisticated. They’re going after the high value targets, and they know what they’re doing,” said Jeff Hudson, CEO of Venafi, an Internet security company providing enterprise key and certificate management solutions. “If they compromise (a CA), they can become anybody they want to be.”
In an effort to harden its security against an imminent threat, Google Chrome blacklisted 247 more SSL credentials this week. Also upon news of the intrusion, Microsoft, Firefox and other firms said that they planned to issue updates blocking SSL certificates issued by DigiNotar.
Next: SSLs Not A Hallmark Of Security, Partners Say