DigiNotar digital certificate fraud could affect millions of users, says SecurEnvoy


DigiNotar digital certificate fraud could affect millions of users, says SecurEnvoy

Warwick Ashford

The scale of digital certificate fraud involving Dutch root certificate authority DigiNotar may be wider than originally thought.

Earlier this week, Microsoft issued a security advisory warning of at least one fraudulent digital certificate issued by DigiNotar for Google.com.

But now more details have emerged of a breach of DigiNotar's infrastructure by hackers, authentication firm SecurEnvoy says the security of millions of internet users may be under threat.

According to a statement by DigiNotar, the intrusion resulted in the fraudulent issuing of public key certificate requests for a number of domains, including Google.com.

Because digital certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, a fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks.

According to Steve Watts, co-founder of SecurEnvoy, there may be as many as 200 fraudulent digital certificates in circulation.

"Every one of them could be misused for financial gain, politically motivated eavesdropping and all sorts of electronic hackery," he said.

The hacking of DigiNotar's systems highlights the fact that the automated systems at the heart of the internet are entirely dependent on certificates.

If criminals are able to counterfeit these certificates, automated internet systems have no way of knowing they are being fooled, said Steve Watts.

"The fact that a digital certificate issuer has been hacked should concern anyone interested in the security of the internet," Watts said.

Although similar to the RSA Security hacking earlier in the year in its ability to affect a large number of people, the remedy is not as simple, said Watts.

While RSA was able to replace its SecurID tokens and so partially remedy the situation, he believes the DigiNotar hack cannot be resolved without a tree-and-branch restructuring of the Internet's architecture.

DigiNotar has sought to downplay the impact of the hacking, emphasising that the attack targeted only its infrastructure for issuing SSL and EVSSL certificates.

The certificate authority said no other certificate types were issued or compromised and most of its business was unaffected.

DigiNotar said it will take every possible precaution to secure its SSL and EVSSL certificate offering, including suspending the sale of those certificates until thorough additional security audits by third party organisations have been completed.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy