DigiNotar breach – 2011’s most important attack

By | January 09, 2012

Posted in: Network Security Trends

DigiNotar was the most important security event of 2011, with profound implications for 2012 and beyond. I know that may be an overly dramatic statement in a year that saw the RSA hack, the Sony PlayStation Network DDoS and breach, and the rise and fall of LulzSec. But those other events were mere escalations of existing threat levels.

The RSA hack was highly disruptive and forced RSA (the security division of EMC) to first alert customers then replace millions of tokens. The attack on the Sony PlayStation Network, which appears to have been an example of massive DDoS coupled with a crafty intrusion under the noise, was noteworthy but to be expected from a poorly defended online service.

DigiNotar, on the other hand, was an attack on a fundamental trust system: digital certificates for SSL.

When the bright folks at Netscape invented Secure Socket Layer (SSL) to encrypt the traffic between web browsers and web servers, they killed off the SET protocol that the financial services industry was working on and ushered in the era of eCommerce. It was also a windfall for the dozens of companies that quickly got in to the business of creating and issuing digital certificates. VeriSign, RSA and Entrust were among the first.

In March, 2011, the now infamous Comodohacker discovered a way to hack into a reseller for certificate authority Comodo. With stolen login credentials, he managed to issue certificates for nine sites including mail.google.com, login.live.com, www.google.com and login.yahoo.com. At the time, Comodo (the company) said that the attack came from Iranian IP addresses and that at least one certificate was found on an Iranian server.

[The Comodohacker is a self-proclaimed supporter of the Iranian regime. It is no coincidence that Iran used man-in-the-middle attacks to intercept more than 300,000 sessions between its citizens and Gmail and other services, putting the private communication of thousands at risk.]

Here is how trust is supposed to work in a public key infrastructure: A root CA is supposed to exist that signs digital certificates for other certificate issuers, who, in turn, create and sign digital certificates used by individuals and websites. When you check a certificate, you check each CA in the chain all the way up to the all powerful root CA.

But that is not how it works. No one could ever agree on who they could trust to have all that control. At one time, it was suggested that the U.S. Postal Service should manage the root CA. That never happened. So, the web browser creators just embedded an exhaustive list of just about every CA in the world in the browser itself.

When you visit an SSL protected site, if the digital cert is signed by one of those CAs, it allows the connection without any warnings. Works great. But what if someone, say, the Comodohacker, gained the ability to issue certs signed by any one of those CAs that Internet Explorer or Firefox already trusts? He can create a trusted website with a signed certificate that the browser recognizes, and now you are phished or the victim of a man-in-the-middle attack.

The Comodohacker did not stop there. He struck again. This time, he claimed responsibility for the breach of DigiNotar a Dutch CA (owned by VASCO Data Security), and he went much farther. He issued over 500 digital certs for domains like Microsoftupdate.com and Google.

DigiNotar has gone out of business. Microsoft, Google, Mozilla, Opera and Apple have all removed DigiNotar from their browsers.

Web trust is broken. Not that anything has changed. The problem was always there. The Comodohacker just showed us by demonstration that the system is broken.

There are fixes being discussed in particular federated communities of trust, and the Certificate Authority/Browser Forum has just issued baseline requirements ( http://cabforum.org/ ) for SSL certificate authorities and those that maintain browsers.   But change happens slowly. In the meantime, all you can do is update your browser often and inspect certificates once in a while. Be aware that all is not well in cyberspace.

You May Also Be Interested In: