Microsoft pro-actively blocks all five DigiNotar certificates on the Windows platform

As the Dutch digital certificate fiasco continues to unfold, some unconfirmed reports suggest that several hundred thousand PCs users have been fooled by the fraudulent certificates.

And according to Venafi, to prevent this situation from happening again, it is advising companies to develop a certificate disaster recovery and business continuity plan.

Chester Wisniewski, Sophos Canada's senior security advisor, says that, although Apple Mac users are still vulnerable to the DigiNotar certificate issue, this latest move by Microsoft extends protection to all supported versions of Windows – including WinXP, Visa, 2007, 2008 and 2008R2 – as well as covering all five certificates owned by DigiNotar.

“Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar”, he says in his latest security posting, adding that this replaces the previous dialog asking if users wished to proceed.

All Windows users using automatic updates will apply this update and no reboot is required, he asserts, noting that Microsoft has been working with the relevant authorities in the Netherlands to delay the rollout of this special patch until next Tuesday, which is the official Patch Tuesday dateline.

This will, he explained,. give the many .nl websites an opportunity to replace their DigiNotar certificates with something more trustworthy.

In parallel with all of this, Venafi, the key and certificate specialist is advising major companies to move beyond the initial shock of the DigiNotar hack and start formulating their own compromise recovery and business continuity plans – in case the problem happens again in the future.

Jeff Hudson, the firm's CEO, said that people have not given much thought to the impact or ramifications of a certificate authority compromise.

“This attack against DigiNotar marks 2011’s fourth major breach of a trusted third-party security provider – and both the stakes and the targets are higher than ever. There will be more breaches of third-party trust providers like this in the future, and additional organisations and governments agencies will be affected if they don’t take certain steps”, he said.

Hackers, he explained, apparently used the fraudulent certificate to intercept Iranian users’ email, among other items, with the attack going undetected by users because their browsers trusted the DigiNotar certificate.

“A third-party trust provider represents an extremely high value target for hackers. Once an attacker can access and steal trust credentials, they can commit various cybercriminal acts in pursuit of their own nefarious agenda”, said Hudson.

The Venafi CEO asserts that, while SSL and PKI technologies are solid and reliable, major corporates should not relax, as they need to be aware that any individual third-party trust provider – such as a certificate authority – can be compromised and is therefore a known risk. And, he says, known risks require solid, well-conceived contingency plans.

These plans, he says, should centre around the use of multiple certificate authorities – to avoid placing all of a company's IT eggs in one basket – and the careful accounting of all the the authorities they use as third-party trust providers.

In addition, adds Hudson, they should have a complete inventory of the owner and location for each certificate in the enterprise – this often numbers in the thousands and even tens of thousands or more in the largest businesses, he notes.

“And finally, every organisation must have an actionable and comprehensive plan in place to recover from a CA compromise. The time to recover needs to be measured in hours, not weeks or months”, he concluded.


What’s Hot on Infosecurity Magazine?