(LiveHacking.Com) – Following the revelation that the DigiNotar debacle included certificates for MI6, the CIA and Mossad, Google has updated Chrome to 13.0.782.220 for Windows, Mac and Linux to revoke Chrome’s trust for SSL certificates issued by DigiNotar-controlled intermediate CAs used by the Dutch PKIoverheid program. For more details from Google about the security issues see their Security Blog post about DigiNotar.
Mozilla has also published new information about its decision to revoked its trust in the DigiNotar certificate authority. According to Mozilla the block on DigiNotar is “not a temporary suspension, it is a complete removal from our trusted root program.”
Mozilla list three central reasons for its decision:
1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla.
2) The scope of the breach remains unknown. While Mozilla were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. It is now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.
3) The attack is not theoretical. Mozilla have received multiple reports of these certificates being used in the wild.