In the Netherlands news just broke involving more details with regards to the DigiNotar compromise.
According to this the following were included in the targeted domains: Yahoo.com, mozilla.org, torproject.org, wordpress.org and Iranian blogging platform Baladin.
So far, I haven’t been able to verify these myself. It would be great if any of the browser makers or DigiNotar could confirm these were amongst the targeted domains.
Assuming these domains were indeed targeted the most plausible explanation is that a specific government is behind this attack.
What’s worrisome in this saga is DigiNotar’s claim a “few dozen” rogue certificates were generated. This is a particularly suspicious claim because at the same time Google has blocked over 200 rogue certificates. Something doesn’t quite add up.
It gets worse though. According to DigiNotar they’re not able to track which rogue certificates were generated. So more of these rogue certificates may be out there.
How is this possible? Either DigiNotar performs no logging of the certificates they create or their logs got cleaned out during the attack.
Either answer is bad and neither of them is worthy of the trust we necessarily have to put into certificate authorities.
DigiNotar’s response to this whole debacle has only made me more worried about how deep this attack may have run. To me, it seems that DigiNotar has not realized certificate authorities need to sell trust above anything else.
The browser makers have responded by exiling DigiNotar from the PKI chain. Now we’re waiting for the Dutch government to do the same.