Engeland tot inzicht: geen social media-blokkade?

DigiNotar breach leads to grave security concerns

Sociale netwerken. Leuk. Maar hoe kom je er vanaf?

A breach in the computer systems of Dutch certificate company DigiNotar led to grave concerns regarding the security of internet users in Iran and Dutch government communications. On 2 September 2011, the Dutch government denounced their trust in certificates issued by DigiNotar after the discovery of fraudulent certificates. It advised Dutch citizens not to log in on websites using these certificates, until the certificates are replaced. Meanwhile, there is credible evidence that the confidential communication of hundreds of thousands of Iranians with Gmail has been intercepted.

In June 2011, the servers of DigiNotar were intruded and certificates were fraudulently issued in the weeks after. Although some of these certificates were revoked, DigiNotar kept the breach secret. Only weeks later, following a message posted on a forum by someone from Iran who tried to log in to Gmail and received a warning about a non-authentic DigiNotar certificate for Google, did DigiNotar acknowledge the breach. On 29 August 2011, the Dutch government was notified about the incident.

DigiNotar revoked the rogue Google certificate and asked a Dutch security firm to perform an investigation into the breach. The report of the investigation (PDF) showed that DigiNotar did not observe basic security measures and hundreds of false certificates were issued on its systems. The rogue Google certificate proved to be in use since 27 July 2011. Active abuse was observed between 4 and 29 August 2011. It is likely that hundreds of thousands of sessions with Google from Iran were intercepted using this certificate.

DigiNotar issues several types of certificates, including PKI-Overheid certificates – typically used by the Dutch government for its websites – and ‘simple’ certificates. As it could not be excluded that false government certificates were also issued, the Dutch government decided to switch to certificates from other authorities.

The incident with DigiNotar also raises questions about the safety and trustworthiness of the certificate system in general. Worldwide, there are hundreds of companies providing these certificates. Supervision on these companies is limited. They can sell certificates as long as they meet the conditions of the browser manufacturers. There is no guarantee that all of them take adequate measures to prevent and detect breaches. This should be a wake-up call for governments and organisations all over the world to actively start working on better, more robust certification systems.

  1. Eelco

    I’d rather see some nerds, academics and hackers develop a fundamentally secure system to replace the current certificate system. Governments and organisations can hardly be trusted to come up with a solution that is in the interest of all stakeholders.

  2. Anonymous

    There was a Dutch prime minister who once said. Go to sleep without worrying, the Dutch government guards over you: few days later Holland was occupied by the Germans. It only got worse since then.

    They now blame a company not following procedures. Did our government regularly check that they follow procedures?
    How can they seriously think that leaving all security to some company is wise or acceptable?
    If a country or powerfull company sets itself to infiltrate this security it will be a piece of cake for them to get some hired employees on a position, bribe another and bingo, security breached even with all procedures followed carefully.

    Give all your data, fingerprints and more to the government so they can store them, nobody will ever misuse or steal them. Go to sleep without worrying over it, the Dutch government guards over you. Let us at least sack the responsible minister and government officials for not paying attention.

Geef een antwoord

Het e-mailadres wordt niet gepubliceerd.

Deze website gebruikt Akismet om spam te verminderen. Bekijk hoe je reactie-gegevens worden verwerkt.

Help mee en steun ons

Door mijn bijdrage ondersteun ik Bits of Freedom, dat kan maandelijks of eenmalig.