DigiNotar
Encyclopedia
DigiNotar was a Dutch certificate authority
owned by VASCO Data Security International
. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems. That same month, the company was declared bankrupt.
, issuing two types of certificate. Firstly, they issued certificates under their own name (where the root CA was "DigiNotar Root CA"). Entrust
certificates were not issued since July 2010, but some were still valid up to July 2013. Secondly, they issued certificates for the Dutch government's PKIoverheid ("PKIgovernment") program. This issuance was via two intermediate certificates, each of which chained up to one of the two "Staat der Nederlanden" root CAs. National and local Dutch authorities and organisations offering services for the government who want to use certificates for secure internet communication can request such a certificate. Some of the most-used electronic services offered by Dutch governments used certificates from DigiNotar. Examples were the authentication infrastructure DigiD
and the central car-registration organisation Rijksdienst voor het Wegverkeer.
The "DigiNotar Root CA" root was included in the trusted root lists of common internet client software but has now been removed; the "Staat der Nederlanden" roots were initially kept because they were not believed to be compromised. However, they have since been revoked.
Dick Batenburg from Beverwijk
and the Koninklijke Notariële Beroepsorganisatie, the national body for Dutch civil law notaries
. The KNB offers all kind of central services to the notaries, and because many of the services that notaries offer are official legal procedures, security in communications is important. The KNB offered advisory services to their members on how to implement electronic services in their business; one of these activities was offering secure certificates.
Dick Batenburg and the KNB formed the group TTP Notarissen (TTP Notaries), where TTP stands for Trusted Third Party
. A notary can become member of TTP-Notarissen if they comply with certain rules. If they comply with additional rules on training and work procedures, they can become an accredited TTP Notary.
Although DigiNotar has been a general-purpose CA for several years, they still targeted the market for notaries and other professionals.
On January 10, 2011, the company was sold to VASCO Data Security International, Inc. In a VASCO press release dated June 20, 2011, one day after DigiNotar first detected an incident on their systems VASCO's president and COO
Jan Valcke is quoted as stating "We believe that DigiNotar's certificates are among the most reliable in the field."
court
. Effective immediately the court appointed a receiver
, a court-appointed trustee who takes over the management of all of DigiNotar’s affairs as it proceeds through the bankruptcy process to liquidation
.
by an attacker with access to their systems. This certificate was subsequently used by unknown persons in Iran
to conduct a man-in-the-middle attack
against Google services. On August 28, 2011, certificate problems were observed on multiple Internet service providers in Iran. The fraudulent certificate was posted on pastebin
. According to a subsequent news release by VASCO, DigiNotar had detected an intrusion into its certificate authority infrastructure on July 19, 2011. DigiNotar did not publicly reveal the security breach at the time.
After this certificate was found, DigiNotar belatedly admitted dozens of fraudulent certificates had been created, including certificates for the domains of Yahoo!
, Mozilla
, WordPress
and The Tor Project. DigiNotar could not guarantee all such certificates had been revoked. Google blacklist
ed 247 certificates in Chromium
, but the final known total of misissued certificates is at least 531. Investigation by F-Secure
also revealed that DigiNotar's website had been defaced by Turkish and Iranian hackers in 2009.
In reaction, Microsoft
removed the DigiNotar root certificate from its list of trusted certificates with its browsers on all supported releases of Microsoft Windows and Mozilla revoked trust in the DigiNotar root certificate in all supported versions of its Firefox browser. Google Chrome
was able to detect the fraudulent *.google.com certificate, due to Chrome's "certificate pinning" security feature; however, this protection was limited to Google domains, which resulted in Google removing DigiNotar from its list of trusted certificate issuers. Opera always checks the certificate revocation list of the certificate's issuer and so they initially stated they did not need a security update. However, later they also removed the root from their trust store. On September 9, 2011, Apple
issued Security Update 2011-005 for Mac OS X
10.6.8 and 10.7.1, which removes DigiNotar from the list of trusted root certificates and EV certificate authorities. Without this update, Safari
and Mac OS X do not detect the certificate's revocation, and users must use the Keychain utility to manually delete the certificate.
DigiNotar also controlled an intermediate certificate which was used for issuing certificates as part of the Dutch government’s public key infrastructure
"PKIoverheid" program, chaining up to the official Dutch government certification authority ("Staat der Nederlanden"). Once this intermediate certificate was revoked or marked as untrusted by browsers, the chain of trust
for their certificates was broken, and it was difficult to access services such as the identity management
platform DigiD
and the Tax and Customs Administration
. GovCert, the Dutch computer emergency response team, initially did not believe the PKIoverheid certificates had been compromised, although security specialists were uncertain. Because these certificates were initially thought not to be compromised by the security breach, they were, at the request of the Dutch authorities, kept exempt from the removal of trust – although one of the two, the active "Staat der Nederlanden - G2" root certificate, was overlooked by the Mozilla engineers and accidentally distrusted in the Firefox build. However, this assessment was rescinded after an audit by the Dutch government, and the DigiNotar-controlled intermediates in the "Staat der Nederlanden" hierarchy were also blacklisted by Mozilla in the next security update, and also by other browser manufacturers. The Dutch government announced on September 3, 2011, that they will switch to a different firm as certificate authority.
consultancy, showed evidence of hacker activity on those machines as well. Consequently the Dutch government decided on September 3 to withdraw their earlier statement that nothing was wrong.
DigiNotar was only one of the available CAs in PKIoverheid, so not all certificates used by the Dutch Government under their root were affected. When the Dutch government decided that they had lost their trust in DigiNotar, they took back control over the company's intermediate certificate in order to manage an orderly transition, and they replaced the untrusted certificates with new ones from one of the other providers. The much-used DigiD platform now uses a certificate issued by Getronics
PinkRoccade Nederland B.V. According to the Dutch government, DigiNotar gave them its full co-operation with these procedures.
After the removal of trust in DigiNotar, there are now three Certification Service Providers (CSP) that can issue certificates under the PKIoverheid hierarchy:
All three companies have opened special help desks and/or published information on their websites as to how organisations that have a PKIOverheid certificate from DigiNotar can request a new certificate from one of the remaining three providers.
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
owned by VASCO Data Security International
VASCO Data Security International
VASCO Data Security International, Inc., is a US based company. The company's operational headquarters are located in Zurich , Switzerland....
. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems. That same month, the company was declared bankrupt.
Company
DigiNotar's main activity was as a Certificate AuthorityCertificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
, issuing two types of certificate. Firstly, they issued certificates under their own name (where the root CA was "DigiNotar Root CA"). Entrust
Entrust
Entrust Inc. is a $100 million privately-owned software company with 350 employees. It provides identity-based security software and services in the areas of public key infrastructure , multifactor authentication, Secure Socket Layer certificates, fraud detection, digital certificates and mobile...
certificates were not issued since July 2010, but some were still valid up to July 2013. Secondly, they issued certificates for the Dutch government's PKIoverheid ("PKIgovernment") program. This issuance was via two intermediate certificates, each of which chained up to one of the two "Staat der Nederlanden" root CAs. National and local Dutch authorities and organisations offering services for the government who want to use certificates for secure internet communication can request such a certificate. Some of the most-used electronic services offered by Dutch governments used certificates from DigiNotar. Examples were the authentication infrastructure DigiD
DigiD
DigiD is an identity management platform which government agencies of the Netherlands, including the Tax and Customs Administration and Dienst Uitvoering Onderwijs, can use to verify the identity of Dutch citizens on the Internet. As of 2010 it is being used by 8 million citizens. The system is...
and the central car-registration organisation Rijksdienst voor het Wegverkeer.
The "DigiNotar Root CA" root was included in the trusted root lists of common internet client software but has now been removed; the "Staat der Nederlanden" roots were initially kept because they were not believed to be compromised. However, they have since been revoked.
History
DigiNotar was originally set up in 1997 by the Dutch notaryCivil law notary
Civil-law notaries, or Latin notaries, are lawyers of noncontentious private civil law who draft, take, and record legal instruments for private parties, provide legal advice and give attendance in person, and are vested as public officers with the authentication power of the State...
Dick Batenburg from Beverwijk
Beverwijk
Beverwijk is a municipality and a town in the Netherlands, in the province of North Holland. The town is located about northwest of Amsterdam in the Randstad metropolitan area, north of the North Sea Canal very close to the North Sea coast...
and the Koninklijke Notariële Beroepsorganisatie, the national body for Dutch civil law notaries
Civil law notary
Civil-law notaries, or Latin notaries, are lawyers of noncontentious private civil law who draft, take, and record legal instruments for private parties, provide legal advice and give attendance in person, and are vested as public officers with the authentication power of the State...
. The KNB offers all kind of central services to the notaries, and because many of the services that notaries offer are official legal procedures, security in communications is important. The KNB offered advisory services to their members on how to implement electronic services in their business; one of these activities was offering secure certificates.
Dick Batenburg and the KNB formed the group TTP Notarissen (TTP Notaries), where TTP stands for Trusted Third Party
Trusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...
. A notary can become member of TTP-Notarissen if they comply with certain rules. If they comply with additional rules on training and work procedures, they can become an accredited TTP Notary.
Although DigiNotar has been a general-purpose CA for several years, they still targeted the market for notaries and other professionals.
On January 10, 2011, the company was sold to VASCO Data Security International, Inc. In a VASCO press release dated June 20, 2011, one day after DigiNotar first detected an incident on their systems VASCO's president and COO
Chief operating officer
A Chief Operating Officer or Director of Operations can be one of the highest-ranking executives in an organization and comprises part of the "C-Suite"...
Jan Valcke is quoted as stating "We believe that DigiNotar's certificates are among the most reliable in the field."
Bankruptcy
On September 20, 2011, Vasco announced that its subsidiary DigiNotar was declared bankrupt after filing for voluntary bankruptcy at the HaarlemHaarlem
Haarlem is a municipality and a city in the Netherlands. It is the capital of the province of North Holland, the northern half of Holland, which at one time was the most powerful of the seven provinces of the Dutch Republic...
court
Court
A court is a form of tribunal, often a governmental institution, with the authority to adjudicate legal disputes between parties and carry out the administration of justice in civil, criminal, and administrative matters in accordance with the rule of law...
. Effective immediately the court appointed a receiver
Receivership
In law, receivership is the situation in which an institution or enterprise is being held by a receiver, a person "placed in the custodial responsibility for the property of others, including tangible and intangible assets and rights." The receivership remedy is an equitable remedy that emerged in...
, a court-appointed trustee who takes over the management of all of DigiNotar’s affairs as it proceeds through the bankruptcy process to liquidation
Liquidation
In law, liquidation is the process by which a company is brought to an end, and the assets and property of the company redistributed. Liquidation is also sometimes referred to as winding-up or dissolution, although dissolution technically refers to the last stage of liquidation...
.
Issuance of fraudulent certificates
On July 10, 2011, a wildcard certificate was issued by DigiNotar's systems for GoogleGoogle
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
by an attacker with access to their systems. This certificate was subsequently used by unknown persons in Iran
Iran
Iran , officially the Islamic Republic of Iran , is a country in Southern and Western Asia. The name "Iran" has been in use natively since the Sassanian era and came into use internationally in 1935, before which the country was known to the Western world as Persia...
to conduct a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
against Google services. On August 28, 2011, certificate problems were observed on multiple Internet service providers in Iran. The fraudulent certificate was posted on pastebin
Pastebin
A pastebin is a type of web application that allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A new trend is that users use Pastebin to post Twitter...
. According to a subsequent news release by VASCO, DigiNotar had detected an intrusion into its certificate authority infrastructure on July 19, 2011. DigiNotar did not publicly reveal the security breach at the time.
After this certificate was found, DigiNotar belatedly admitted dozens of fraudulent certificates had been created, including certificates for the domains of Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
, Mozilla
Mozilla
Mozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
, WordPress
WordPress
WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. It is often customized into a content management system . It has many features including a plug-in architecture and a template system. WordPress is used by over 14.7% of Alexa Internet's "top 1...
and The Tor Project. DigiNotar could not guarantee all such certificates had been revoked. Google blacklist
Blacklist
A blacklist is a list or register of entities who, for one reason or another, are being denied a particular privilege, service, mobility, access or recognition. As a verb, to blacklist can mean to deny someone work in a particular field, or to ostracize a person from a certain social circle...
ed 247 certificates in Chromium
Chromium (web browser)
Chromium is the open source web browser project from which Google Chrome draws its source code. The project's hourly Chromium snapshots appear essentially similar to the latest builds of Google Chrome aside from the omission of certain Google additions, most noticeable among them: Google's...
, but the final known total of misissued certificates is at least 531. Investigation by F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
also revealed that DigiNotar's website had been defaced by Turkish and Iranian hackers in 2009.
In reaction, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
removed the DigiNotar root certificate from its list of trusted certificates with its browsers on all supported releases of Microsoft Windows and Mozilla revoked trust in the DigiNotar root certificate in all supported versions of its Firefox browser. Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
was able to detect the fraudulent *.google.com certificate, due to Chrome's "certificate pinning" security feature; however, this protection was limited to Google domains, which resulted in Google removing DigiNotar from its list of trusted certificate issuers. Opera always checks the certificate revocation list of the certificate's issuer and so they initially stated they did not need a security update. However, later they also removed the root from their trust store. On September 9, 2011, Apple
Apple
The apple is the pomaceous fruit of the apple tree, species Malus domestica in the rose family . It is one of the most widely cultivated tree fruits, and the most widely known of the many members of genus Malus that are used by humans. Apple grow on small, deciduous trees that blossom in the spring...
issued Security Update 2011-005 for Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
10.6.8 and 10.7.1, which removes DigiNotar from the list of trusted root certificates and EV certificate authorities. Without this update, Safari
Safari (web browser)
Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also the...
and Mac OS X do not detect the certificate's revocation, and users must use the Keychain utility to manually delete the certificate.
DigiNotar also controlled an intermediate certificate which was used for issuing certificates as part of the Dutch government’s public key infrastructure
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
"PKIoverheid" program, chaining up to the official Dutch government certification authority ("Staat der Nederlanden"). Once this intermediate certificate was revoked or marked as untrusted by browsers, the chain of trust
Chain of trust
In computer security, a chain of trust is established by validating each component of hardware and software from the bottom up. It is intended to ensure that only trusted software and hardware can be used while still remaining flexible.-Introduction:...
for their certificates was broken, and it was difficult to access services such as the identity management
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
platform DigiD
DigiD
DigiD is an identity management platform which government agencies of the Netherlands, including the Tax and Customs Administration and Dienst Uitvoering Onderwijs, can use to verify the identity of Dutch citizens on the Internet. As of 2010 it is being used by 8 million citizens. The system is...
and the Tax and Customs Administration
Tax and Customs Administration
The Tax and Customs Administration is the tax collection and customs service of the government of the Netherlands. Part of the Ministry of Finance, it is responsible for supervising the import, export and transit of goods, detecting fiscal, economic and financial fraud, levying and collecting...
. GovCert, the Dutch computer emergency response team, initially did not believe the PKIoverheid certificates had been compromised, although security specialists were uncertain. Because these certificates were initially thought not to be compromised by the security breach, they were, at the request of the Dutch authorities, kept exempt from the removal of trust – although one of the two, the active "Staat der Nederlanden - G2" root certificate, was overlooked by the Mozilla engineers and accidentally distrusted in the Firefox build. However, this assessment was rescinded after an audit by the Dutch government, and the DigiNotar-controlled intermediates in the "Staat der Nederlanden" hierarchy were also blacklisted by Mozilla in the next security update, and also by other browser manufacturers. The Dutch government announced on September 3, 2011, that they will switch to a different firm as certificate authority.
Steps taken by the Dutch Government
After the initial claim that the certificates under the DigiNotar-controlled intermediate certificate in the PKIoverheid hierarchy weren't affected, further investigation by an external party, the Fox-ITFox-IT
Fox-IT is a Dutch consultancy company based in Delft. Fox-IT is active in the information technology security sector. Their mission-statement is: "Making technical and innovative contributions for a more secure society."-History:...
consultancy, showed evidence of hacker activity on those machines as well. Consequently the Dutch government decided on September 3 to withdraw their earlier statement that nothing was wrong.
DigiNotar was only one of the available CAs in PKIoverheid, so not all certificates used by the Dutch Government under their root were affected. When the Dutch government decided that they had lost their trust in DigiNotar, they took back control over the company's intermediate certificate in order to manage an orderly transition, and they replaced the untrusted certificates with new ones from one of the other providers. The much-used DigiD platform now uses a certificate issued by Getronics
Getronics
Getronics N.V. is a company, subsidiary of the Dutch IT & Telecommunications firm KPN since October 2007, focused on creating value for IT Workspace Management Services, Applications & Software Development Services...
PinkRoccade Nederland B.V. According to the Dutch government, DigiNotar gave them its full co-operation with these procedures.
After the removal of trust in DigiNotar, there are now three Certification Service Providers (CSP) that can issue certificates under the PKIoverheid hierarchy:
- ESG or de Electronische Signatuur
- QuoVadisQuoVadisQuoVadis is a Certificate Authority, a Trusted Third Party which issues digital certificates for authentication and digital signatures.QuoVadis is a Qualified Certification Services Provider in several countries. This means that QuoVadis is accredited by those countries to issue Qualified...
- Getronics Pink Roccade
All three companies have opened special help desks and/or published information on their websites as to how organisations that have a PKIOverheid certificate from DigiNotar can request a new certificate from one of the remaining three providers.
External links
(English, not mentioning the bankruptcy) (Dutch, mentioning the bankruptcy)- Fraudulent Certificates ‐ List of Common Names
- DigiNotar reports security incident
- PastebinPastebinA pastebin is a type of web application that allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A new trend is that users use Pastebin to post Twitter...
posts: - Mozilla Foundation Security Advisory 2011-34: Protection against fraudulent DigiNotar certificates
- Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing
- DigiNotar Compromise - MozillaMozillaMozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
's Gervase MarkhamGervase Markham (programmer)Gervase Markham is a British programmer for the Mozilla Foundation, and a lead developer of Bugzilla. He started contributing to the Mozilla project in 1999, and became the youngest paid employee of Mozilla.org at age 23 after he graduated from Oxford University.Markham is named after his paternal...
's account of how and why Mozilla blacklisted DigiNotar. Account by the Director of Firefox Engineering at the Mozilla Corporation of why Mozilla's removal of DigiNotar from the trusted list is not a temporary suspension, but a complete revocation of trust.