I had previously wrote about the news where DigiNotar Certificate Authority (CA) was hacked and issued many fraudulent certificates especially high profile one such as Google.com. Situation get worse now when the truth is revealed that it is not only the fraudulent client or user (known as end entity) certificates was issued, but also the certificate for intermediate Certificate Authority.
Apart from that, the numbers also another bad news to hit everyone. It was initially rumored that there were 250 over certificates were issued. However, it turns out now that the numbers had grown to 531 certificates including the intermediate certificates that just mentioned.
What’s so serious about the issuance of Intermediate Certificates?
In common, the PKI infrastructure has three hierarchy. The highest is the Root CA where in this hacking case, DigiNotar is the Root CA. According to everyone’s understanding, the compromised certificate suppose to be the lowest level which is the user certificate where SSL certificate should be categorized as well.
However, after knowing the truth, the hackers even issued the certificates for the intermediate CA which is the issuing CA certificate in the figure above. This means that the hackers can now issue more fraudulent certificates with the given authority as an intermediate CA. As far as it is concerned, we should not trust any certificate issued by DigiNotar for now until further notice.
What can everyone do for a better security now?
All the top internet web browser already take the action to completely remove the trust of DigiNotar. Those top internet browser I mean here are Mozilla Firefox, Google Chrome, Microsoft Internet Explorer and Apple Safari. Removing the trust means all the certificates issued by DigiNotar will be viewed as not trusted by those web browser.
As an end user, what we can do now is to update. For Firefox user, just follow the guide from the Firefox help to update your browser. For Google Chrome, you can refer to this entry on how you can update your web browser. As for Microsoft IE, nothing can be simpler which is to run your Windows Update to get the latest version.
For Safari user, there will be some pain in the ass for you. Apple has not officially release any patch correspond to this attack despite all the giants are working very hard for it. Probably this is part of the things that Steve Job missed out when handling the CEO position to Tim Cook. Good news is, the IT security community cares for everyone’s security and you can refer to this post on how to remove DigiNotar trust from your Safari web browser.
Lastly, if you are interested on the list of fraudulent certificates issued by the hacker, you can get them from the Tor Project site. Do join my Facebook Page to stay updated with this issue and drop some comment here to discuss.