The Dutch Ministry of the Interior and Kingdom Relations announced Friday that it would revoke both DigiNotar PKIoverheid root certificates as of Wednesday, Sept. 28. This action follows a decision by the government to remove DigiNotar’s CAs from the Netherlands Trust List and DigiNotar’s filing for bankruptcy.
At the end of August, Microsoft warned about fraudulent certificates being issued by DigiNotar. It was subsequently revealed that DigiNotar’s system was compromised and more than 500 bogus digital certificates were issued in the names of major web properties, as well as intelligence services, such as the CIA, MI6, and Mossad.
In a blog, John Harris of Adobe explained that, as a result of the Dutch government’s revocation, “new digital signatures created with certificates from these certificate families will no longer show as valid in Acrobat and Reader, regardless of version. This is due to the fact that Acrobat and Reader check if certificates associated with the signing credential are revoked at signing and at document open.”
Harris cautioned that the government’s move “will not necessarily invalidate existing documents, if you are opening them with Acrobat or Reader 9.1+. This is due to the fact that these versions of the product check the validity of the signature at the signing time by default, not at the current time – assuming that the signature includes validation information from when it was signed.”
The certificate authority breach saga actually began in March, when a number of Comodo registration authorities (RAs) were hacked and fraudulent certificates were issued from those RAs. At that time, an Iranian hacker who goes by the name Comodohacker claimed responsibility for the hack.
In an early September posting on Pastebin.com, Comodohacker claimed responsibility for compromising the DigiNotar CAs. He told the New York Times that he chose DigiNotar because it was Dutch and he was motivated by the failure of Dutch peacekeepers in 1995 to prevent the massacre of Muslims in Srebenica.
Also this month, Comodohacker claimed that he had hacked into GlobalSign, a Belgian CA. In response, GlobalSign suspended the issuing of certificates and began an investigation into the claim. The company found evidence of a breach of a web server, but said the server was isolated from other infrastructure. It went back online last week.
But Comodohacker was not done there. He bragged that he had gained access to Microsoft’s systems and was able to exploit Microsoft's Windows Update service.
Commenting on Comodohacker’s Microsoft threat, Don DeBolt, director of threat research at Total Defense, said that the hacker claimed to have “reversed the Microsoft Windows update process” and to be able to “push updates at his will via that mechanism.”
Microsoft disputes that claim, "specifically because on the client side, it is going to check the digital signature of that package and it has to be signed by the Microsoft root certificate authority. That is the control that Microsoft is relying on to insure the integrity of that transaction”, DeBolt explained.
To counter hackers like Comodohacker, CAs need to ensure their internal controls are “as sound and robust as possible because these types of compromises…should not have happened. There should have been multiple layers of security within the certificate authorities themselves to catch this type of attack, compromise, or fraudulent behavior”, DeBolt advised.