Back in March, a trusted Root Certification Authority (CA), Comodo, accidentally issued nine fraudulent digital certificates for some very popular domains. Unfortunately, the past has repeated itself, this time with a CA called DigiNotar.
If you’ve followed security news over the last few weeks, you’ve likely heard that a Dutch CA called DigiNotar has mistakenly issued over 200 fraudulent certificates to Iran (the certs were for Google, Mozilla, Yahoo, and Tor domains). DigiNotar claims the false certificates issuance was due to an intrusion into their CA infrastructure, and they claim to have since revoked the false certificates. However, experts have learned that DigiNotar issued many more fraudulent certificates than they first admitted.
As mentioned in our Comodo post, when you visit sites, digital certificates help ensure that the site you visit really is the one you think it is. Phishers often try to spoof popular sites in order to steal your credentials. Digital signatures can help prevent this by informing you when a site has an improper certificate, which doesn’t match the domain. However, these falsely issued certificates can allow attackers to leverage them to either create very convincing spoofed sites for the affected domains, or to help them carry out Man-in-the-Middle (MitM) attacks, even when valid certificates are required.
Though DigiNotar claims to have revoked the fraudulent certificates, OS vendors have released patches that either ensure these certificates are revoked, or removes DigiNotar from the list of trusted root CAs. Depending on your OS, I recommend you install the corresponding updates below, to protect yourself from these false certs:
Also, if your web browser supports Online Certificate Status Protocol (OCSP), you can enable it so your browser protects you from sites leveraging these false certificates.
Finally, if you use on of WatchGuard’s appliances, you can also enable OCSP in our HTTP-proxy. Simply enable the setting, “Use OCSP to confirm the validity of certificates.” Our appliances also trust the same root authorities that most web browsers do; so we include DigiNotar in our list of trusted CAs. If you do not want to trust DigiNotar any longer (despite them revoking the false certs), go to Firebox System Manager and click View => Certificates. Then delete the DigiNotar certificate from your trusted list.
If you follow these workarounds, the fraudulent DigiNotar certificates shouldn’t affect you or your network.
For more information about this issue, see the resources below:
- Initial Story (links from Slashdot)
- DigiNotar’s response
- 200 Certs leaked
- Moxie Marlinspike’s proposed solution to such fraudulent digital certs