[ISN] DigiNotar Hacked Out Of Business

From: InfoSec News <alerts_at_private>
Date: Wed, 21 Sep 2011 00:35:31 -0500 (CDT)
http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231601790/diginotar-hacked-out-of-business.html

By Kelly Jackson Higgins
Dark Reading
Sept 20, 2011

Say goodbye to certificate authority DigiNotar: The beleaguered Dutch CA 
has filed for bankruptcy in the wake of the recent massive breach at the 
firm, its parent company VASCO Security said today, and has exited the 
CA business altogether. While the demise of DigiNotar comes as no real 
surprise given the chain of events that have transpired since it was 
first learned the CA had been hacked, its downfall has ignited debate 
over what can be done to prevent digital certificate disasters in the 
future.

There's no easy way to ensure CAs don't get hacked, or that one is more 
trustworthy than another if they pass their audits. But there is a way 
to discourage CA hacks altogether, says Roel Schouwenberg, senior 
antivirus researcher for Kaspersky Lab: Browser vendors could store a 
whitelist of proper certificates for the top 10 or 20 targets of 
cyberespionage, such as Facebook, Gmail, Yahoo, and Tor, as well as any 
high-profile sites.

DigiNotar's hack was first exposed last month when Google's Chrome team 
noticed a DigiNotar-issued certificate for google.com that didn't match 
its internal certificate list for google.com. Schouwenberg says browser 
vendors could add a similar feature to their software so they could 
automatically confirm the legitimacy of a certificate. "You need to 
disincentivize actors to hack CAs. In the current system, we need to 
live with the fact that CAs can be hacked," he says. Adding a list of 
known certificates for, say, the top 20 targeted websites would give 
browsers the ability to vet certs before users get duped.

"Simply doing this within the browser would really disincentivize 
attackers," he says. "So fixing this aspect of the broken trust model is 
quite easy."

Revoking certificates is problematic: Not only is it difficult to remove 
a certificate once a CA accepts it, but when a CA's trust is revoked, 
there is fallout: "When you try to revoke trust for a CA, you will see 
major repercussions," such as with the Dutch government agencies that 
had certs with DigiNotar, Schouwenberg says. "It truly crippled part of 
the Dutch infrastructure," including hospitals, financial services, and 
law firms, he says.

[...]


_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
Received on Tue Sep 20 2011 - 22:35:31 PDT

This archive was generated by hypermail 2.2.0 : Tue Sep 20 2011 - 22:39:46 PDT