(LiveHacking.Com) – Fox-IT, the Dutch security company hired to investigate the security breach at DigiNotar has released its interim report. The day after it became public knowledge that a rogue *.google.com certificate was presented to a number of Internet users in Iran, Fox-IT was contacted and asked to investigate the breach and report its findings. Fox-IT assembled a team and started the investigation known as “Operation Black Tulip.”
The report has some very interesting findings:
- The rogue certificate found by Google was issued by the DigiNotar Public CA 2025. The serial number of the certificate was, however, not found in the CA system‟s records. This leads to the conclusion that it is unknown how many certificates were issued without any record present.
- Web browsers perform an Online Certificate Status Protocol (OCSP) check as soon as the browser connects to an SSL protected website through the https-protocol3. The serial number of the certificate presented by the website a user visits is send to the issuing CA OCSP-responder. The OCSP-responder can only answer either with „good‟, „revoked‟ or „unknown‟. If a certificate serial number is presented to the OCSP-responder and no record of this serial is found, the normal OCSP-responder answer would be „good‟4. The OCSP-responder answer „revoked‟ is only returned when the serial is revoked by the CA. In order to prevent misuse of the unknown issued serials the OCSP-responder of DigiNotar has been set to answer „revoked‟ when presented any unknown certificate serial it has authority over. This was done on September 1st.
- The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran.