Rogue SSL certs were also issued for CIA, MI6, Mossad
Benjamin
bbrewer at littledystopia.net
Mon Sep 5 13:42:33 PDT 2011
http://www.net-security.org/secworld.php?id=11565
______________________________________________________________
Rogue SSL certs were also issued for CIA, MI6, Mossad
Posted on 05 September 2011.The number of rogue SSL certificates issued
by Dutch CA DigiNotar has balooned from one to a couple dozen to over
250 to 531 in just a few days.
As Jacob Appelbaum of the Tor project shared the full list of the rogue
certificates, it became clear that fraudulent certificates for domains
of a number of intelligence agencies from around the world were also
issued during the CA's compromise - including the CIA, MI6 and Mossad.
Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype,
Twitter, Tor, Wordpress and many others.
He received the list from sources in the Dutch Government, which has
retracted its statement about trusting DigiNotar's PKIoverheid CA
branch, announced to its citizens that it cannot guarantee the security
of its own websites, and taken over DigiNotar's operations and
immediately organized audits of its infrastructure.
"The most egregious certs issued were for *.*.com and *.*.org while
certificates for Windows Update and certificates for other hosts are of
limited harm by comparison," points out Appelbaum. "The attackers also
issued certificates in the names of other certificate authorities such
as 'VeriSign Root CA' and 'Thawte Root CA' as we witnessed with
ComodoGate, although we cannot determine whether they succeeded in
creating any intermediate CA certs."
"That's really saying something about the amount of damage a single
compromised CA might inflict with poor security practices and regular
internet luck," he concludes. In a previous post, he compared the
current state of the Certificate Authority system to a house of cards
doused with petrol, waiting for a light.
And while there is a difference of opinion between security experts who
speculate about the entity behind the attack, there seems to be an
almost universal consensus about the fact that DigiNotar will be closed
for business forever after this.
Kaspersky Lab's Roel Schouwenberg notes that "with some 500 authorities
out there globally it's hard to believe DigiNotar is the only
compromised CA out there."
That's a chilling thought that probably many an expert has had since the
extent of the incident has been revealed. Hopefully, it just might
jumpstart the search for a fitting alternative to the CA trust system.
More information about the cypherpunks-legacy
mailing list