Diginotar issues dodgy SSL certificates for Google services after break-in

ONLINE GIANT Google was the target of a man-in-the-middle SSL attack as a firm issued certificates for some of its services without authorisation.

Google announced that some users - mostly those located in Iran - were served false SSL certificates issued by Diginotar in order to hijack SSL sessions with Google's services. Diginotar, a recognised and trusted certificate authority, revealed that the certificates were issued during an intrusion into its certificate authority systems.

Google said that its Chrome web browser automatically detected the SSL attack and informed users, while Microsoft and Mozilla were also quick to issue updates, which essentially blacklist any Diginotar certificates.

In Microsoft's security advisory the firm said, "Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List." Mozilla on the other hand gave Firefox users a step-by-step guide on how to remove Diginotar from its list of trusted certificate authorities.

Diginotar is playing down any potential problems with the intrusion on its network that led to dodgy SSL certificates being issued, saying it expects to have a solution to the problem by the end of the week. Instead of being humbled it said that the damage to its reputation won't affect its bottom line.

In a statement Diginotar's parent company Vasco said, "Vasco expects the impact of the breach of Diginotar's SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than €100,000. Vasco does not expect that the Diginotar security incident will have a significant impact on the company's future revenue or business plans."

All we can say is that Vasco and Diginotor shouldn't expect that €100,000 in SSL certificate related revenue to increase by very much any time soon. µ