Fraudulent certificate triggers blocking from software companies
A fraudulent SSL certificate for "*.google.com" issued by Dutch certificate authority (CA) DigiNotar, possibly to the Iranian government or its agents, has triggered a wave of updates from software makers to stop applications trusting the CA. The certificate was issued on 10 July to unknown persons in Iran.
Several security experts, such as Moxie Marlinspoke, confirmed that the SSL certificate came from DigiNotar; one pastebin entry detailed the contents of the suspicious certificate, while another called for the "internet death sentence" because the company's "carelessness may have resulted in deaths in Iran". The Electronic Frontier Foundation said in a blog posting that it believes the attacks have been used to intercept searches and private email. It is unknown who the certificate was actually issued to and whether or not any other bogus certificates were issued.
The attack was initially noticed by Google Chrome users because Chrome 13 and later implements certificate pinning which ensures that the browser will only accept certificates for Google from a whitelist of certificate authorities; DigiNotar was not a CA on the whitelist and users of Chrome were alerted that something was amiss with the certificate they were being presented. The certificate was revoked yesterday, 29 August, at 16:59 GMT, but because many browsers do not check for revoked certificates by default, software vendors have had to take action to prevent the continued exploitation of the bogus certificate. It is also currently unknown if any other bogus certificates were issued by DigiNotar, therefore the vendors are opting to block all certificates signed by the CA.
Microsoft has released a security advisory and updates for all supported Windows operating systems – including Vista SP3, Server 2008 SP2 and Windows 7 SP1 – which revoke trust in the CA's root certificate. Windows XP SP3 and Server 2003 SP2 will receive separate updates as these systems do not use the centrally managed Microsoft Certificate Trust List.
Mozilla has announced that it is releasing updates for Firefox (3.6.21, 6.0.1, 7, 8 and 9) and Firefox Mobile (6.0.1, 7, 8 and 9), Thunderbird (3.1.13 and 6.0.1) and SeaMonkey (2.3.2), which will also revoke trust in DigiNotar's root certificate. Mozilla has also released instructions on how to delete the DigiNotar Root CA certificate from Firefox manually.
Google is also disabling DigiNotar's certificate in Chrome "while investigations continue" even though Chrome detected the fraudulent certificate. The Chrome browser was only able to do that for google.com subdomains and if there are other fraudulent certificates for other domains Chrome would be unable to detect the deceit.
This is the second fraudulent certificate incident this year: in March, SSL certificates for addons.mozilla.org, Yahoo, Skype, Microsoft Live and Google were created by an intruder into a Comodo reseller.