Fake Google certificate is the result of a hack
After the weekend's revelation that an illegally issued SSL certificate was being actively used to monitor Iranian Gmail users, the certificate issuer has now given its reaction. The certificate issuer, DigiNotar, reports that it detected an intrusion into its systems on 19 July, during which the intruder generated a number of certificates, including the *.google.com certificate employed as described above.
At the time, DigiNotar investigated the extent of the intrusion and apparently revoked all illegally issued certificates. It turns out, however, that, as DigiNotar itself admits, some certificates were missed: "Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."
The attackers specifically targeted the infrastructure used to issue SSL and Extended Validation SSL certificates (EVSSL). DigiNotar will cease to issue certificates until it has been subjected to further security auditing by external auditors. It does not explain why it has waited until now to take this step – the intrusion took place in mid-July. The company hopes to have a solution by the end of the week
DigNotar's parent company, VASCO, hopes to placate its customers with warm words: "Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000. VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans." This will be of little comfort to Iranian Gmail users whose emails may have been monitored by the Iranian government over a period of several weeks. Believing themselves to be using a secure connection to Google, they may well have been lulled into a false sense of security.
Additionally, it cannot be ruled out that DigiNotar has missed other fake certificates issued during the intrusion. As a consequence, browser manufacturers have taken the radical step of revoking trust in all DigiNotar certificates. Google and Mozilla have already announced the release of updates which will remove DigiNotar from the list of trusted certificate authorities. Microsoft uses a centrally maintained certificate trust list, which Windows Vista and later versions use automatically. Separate security updates will be issued for Windows XP and Windows Server 2003.
Initial Instructions for deleting the root certificate from Firefox manually, published by Mozilla, turn out to be incorrect. Tests carried out by our editorial team found that, although following these instructions causes DigiNotar to disappear from the list of trusted certificate authorities, when the settings window was reopened, nothing had apparently changed. It appears that it is impossible to delete certificates from Mozilla, but the certificate is marked as untrusted; there is though, no visible indication that the certificate is no longer trusted. Mozilla has now updated the instructions to explain that the certificate will be marked as distrusted but don't explain why the item appears to have been deleted when it hasn't been.