A hack of DigiNotar, a Dutch company that supplies digital certificates to authenticate websites, is giving the firm credibility issues and perhaps much more.
The incident occurred in July when the perpetrator or perpetrators hacked into the Certificate Authority (CA) infrastructure. This resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
DigiNotar said most of the certificates were revoked, however a few had not been. According to a report from security firm Fox-IT, at least 531 digital certificates were issued after they were hacked.
The affected domains included CIA.gov, Google, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service. Google, Microsoft and Mozilla, three of the most popular web browsers in the world, are now making DigiNotar pay for their mistake.
In a recent blog post, Dave Forstrom, Microsoft's Director of Trustworthy Computing, said the company has now deemed all DigiNotar certificates to be untrustworthy and have moved them to the Untrusted Certificate Store. In addition, Microsoft has extended this support to all customers using Windows XP, Windows Server 2003, and all Windows supported third-party applications.
We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments, and software vendors to help protect our mutual customers, Fortstrom said.
Meanwhile, Google may be taking similar action. According to a report from The Register, source code on Google's website would not allow Chrome to trust any secure website signed by DigiNotar. Mozilla also implemented a similar change. Users of Firefox will receive a warning when they encounter certain certificates from DigiNotar.
The Dutch Government, which uses DigiNotar's service, is working quickly to replace all the certificates in use. The government took over DigiNotar's management and says its hard to withdraw certificates because of the automated communication between computers. Automatic withdrawal would cause a breakdown of machine-to-machine communication.