DigiNotar SSL certificate compromise widens to include security agencies

A breach of Dutch root certificate authority DigiNotar, which resulted in the fraudulent issuing of certificates, has widened to include several security agencies.

A breach of Dutch root certificate authority DigiNotar revealed last week, which resulted in the fraudulent issuing of certificates, has widened to include several security agencies.

Initially, hackers were believed to have issued around 250 false certificates, but that number has now grown to around 530, according to the Dutch government.

DigiNotar is a "root" certificate, which means it can assign authority to intermediaries to sign and validate certificates on their behalf.

It now appears that the hackers signed more than 180 certificates that could have been intermediate certificates, masquerading as certificate authorities such as Thawte and Verisign.

The expanded list of domains for which fraudulent certificates were issued includes security agencies such as the US Central Intelligence Agency (CIA), the UK's MI6 and Israel's Mossad, according to secure online communications services firm Tor.

Because digital certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, a fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks.

While this makes visitors to these sites vulnerable, the security agencies involved say the impact of the breach is minimal, according to TFTS.

Even if the hackers are able to spoof SSL security for the sites, the agencies say their servers are secure and unauthorised parties are unlikely to gain access to secure information.

According to Tor, the hackers also issued themselves certificates for *.*.com and *.*.org.

Chester Wisniewski, a senior security advisor at Sophos, Canada, said that while he is not sure if a multi-wildcard certificate like this is valid, it if is, it could allow the hackers to impersonate anything.

"This incident makes me feel more justified than ever in my distrust of the certificate system. While Mozilla, Google and others have been quick to permanently remove DigiNotar as a trusted authority, in this case it is too little, too late," he wrote in a blog post.

Users of IE and Safari on Windows 7/Vista/2008/2008R2, or Chrome and Firefox on any platform, are protected against exploitation as long as they are fully patched, as are Mac OS X users using the latest Chrome and Firefox (6.0.2) versions, but Safari and OS X itself have not been patched, warns Wisniewski.

He also notes that mobile users are being left in the dark, with no updates, and no manual removal method for Android or iPhone/iPad/iPod Touch users who have not jailbroken/rooted their devices.

Read more on IT risk management