SOFTWARE DEVELOPER Mozilla has confirmed that it was targeted by hackers who broke into Dutch certificate authority Diginotar's network and issued rogue SSL certificates for high-profile domains.
The attack came to light when a rogue certificate for *.google.com was found being used in a country-wide Gmail man-in-the-middle attack in Iran. Diginotar's parent company, Vasco Data Security International, later admitted that its subsidiary knew about the breach since 19 July, and implicitly it also admitted that its certificate authority had not sounded any public alarm.
An external audit performed by the company at the time revealed that hackers managed to issue rogue certificates for an undisclosed number of domain names, certificates that were revoked in a matter of days.
However, for some yet-to-be-explained reason, both the auditors and the company's own investigators missed the bogus *.google.com domain certificate.
In response to the breach, Mozilla, Google and Microsoft took the unprecedented step of removing Diginotar's root certificate from their products, therefore rendering all certificates ever issued by the company untrusted in the world's top three web browsers.
Changes in a new Chrome version released yesterday included additions to its certificate blacklist with over 240 entries that were described as "bad DigiNotar leaf certificates for non-Google sites".
This could be an indication of the broad breadth of the attack's scope.
Dutch publication NU.NL reports that other targets of this attack included mozilla.org, yahoo.com, wordpress.org, torproject.org and the Iranian blogging service Baladin. So far, Mozilla has confirmed the report.
"DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue. In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users," said Johnathan Nightingale, director of development for Firefox.
The response of the security community was harsh and rightfully so, considering how Diginotar chose to handle the incident. Unlike Comodo, which went through a similar situation back in March and privately notified vendors and affected parties right away, the Dutch certificate authority apparently tried to sweep the dirt under the carpet.
Unfortunately its decision might have had serious consequences for the Iranian activists whose Gmail accounts were compromised, and who might be investigated by the Iranian government. In countries with repressive regimes, pro-democracy and freedom of expression activists can face arrest, interrogation, torture or worse.
The attacks against the Italian Comodo reseller and Diginotar are similar in many respects. Both were performed by hackers who claimed to be from Iran and in both cases Gmail, Yahoo, and addon.mozilla.org were targeted. It wouldn't be surprising if the perpetrators are connected or even the same, especially since the Comodo hacker warned that he would do it again. µ
Watch this space
Hackers could erect man-in-the-middle attacks
Painted into a corner
What we'd call copying, Cupertino calls 'inspiration'