Microsoft Judges DigiNotar SSL Certificates 'Untrustworthy'


 

"The problem for the Dutch online infrastructure is very serious,” Storms said. “I’m sure the Dutch government is learning a hard, but important lesson from this ongoing-fiasco. Trusting DigiNotar’s critical online infrastructure role without spending the time to independently audit their operations has undoubtedly cost the Dutch government a lot of time and money. It has certainly caused a great deal of international embarrassment.”

Meanwhile, DigiNotar doesn’t appear to be the only compromised CA. An Iranian hacker known as ComodoHacker, responsible for SSL hacks against DigiNotar and certificate authority Comodo earlier this year, posted a message on pastebin.com also claiming to have accessed four other CAs, including GlobalSign.

“I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification,” ComodoHacker said in the blog post .

The admission compelled the U.K.-based certificate authority GlobalSign to temporarily cease issuing SSL certificates while it launched an investigation. The CA enlisted the help of DigiNotar security auditor Fox-IT to determine the validity of ComodoHacker’s claims and the extent, if any, of the compromise.

“GlobalSign takes this claim very seriously and is currently investigating,” GlobalSign said in a blog post Tuesday. “As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible. We apologize for any inconvenience.”