[SSL Observatory] DigiNotar Compromise
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Sep 3 06:31:46 PDT 2011
Gervase Markham <gerv at mozilla.org> writes:
>http://blog.gerv.net/2011/09/diginotar-compromise/
>
>My blog post gives some more information (including a list of CNs) which may
>be of interest :-)
DigiCert Root CA
Equifax Root CA
Thawte Root CA
VeriSign Root CA
Does this mean they issued themselves CA certs as well as EE ones?
>And not knowing their serial numbers makes it impossible to revoke them
This is exactly the manufactured-certificate attack that CRLs/OCSP, and
X.590's general fixation with dysfunctional blacklist-based approaches is
totally unable to deal with.
>it is at least possible (but entirely speculative) that an initial competent
>attacker has had access to their systems for an unknown amount of time, and a
>second attacker gained access more recently and their less subtle bull-in-a-
>china shop approach in issuing the 247 certificates triggered the alarms.
Given that Diginotar's site was multiply compromised over a period of several
years, that could well be the case.
Peter.
More information about the Observatory
mailing list