A breach in the computer systems of Dutch certificate company DigiNotar led to grave concerns regarding the security of internet users in Iran and Dutch government communications. On 2 September 2011, the Dutch government denounced their trust in certificates issued by DigiNotar after the discovery of fraudulent certificates. It advised Dutch citizens not to log in on websites using these certificates, until the certificates are replaced. Meanwhile, there is credible evidence that the confidential communication of hundreds of thousands of Iranians with Gmail has been intercepted.
In June 2011, the servers of DigiNotar were intruded and certificates were fraudulently issued in the weeks after. Although some of these certificates were revoked, DigiNotar kept the breach secret. Only weeks later, following a message posted on a forum by someone from Iran who tried to log in to Gmail and received a warning about a non-authentic DigiNotar certificate for Google, did DigiNotar acknowledge the breach. On 29 August 2011, the Dutch government was notified about the incident.
DigiNotar revoked the rogue Google certificate and asked a Dutch security firm to perform an investigation into the breach. The report of the investigation (PDF) showed that DigiNotar did not observe basic security measures and hundreds of false certificates were issued on its systems. The rogue Google certificate proved to be in use since 27 July 2011. Active abuse was observed between 4 and 29 August 2011. It is likely that hundreds of thousands of sessions with Google from Iran were intercepted using this certificate.
DigiNotar issues several types of certificates, including PKI-Overheid certificates – typically used by the Dutch government for its websites – and ‘simple’ certificates. As it could not be excluded that false government certificates were also issued, the Dutch government decided to switch to certificates from other authorities.
The incident with DigiNotar also raises questions about the safety and trustworthiness of the certificate system in general. Worldwide, there are hundreds of companies providing these certificates. Supervision on these companies is limited. They can sell certificates as long as they meet the conditions of the browser manufacturers. There is no guarantee that all of them take adequate measures to prevent and detect breaches. This should be a wake-up call for governments and organisations all over the world to actively start working on better, more robust certification systems.