September 27, 2016

DigiNotar Admits Security Breach Allowed Fake Google Certificate to be Issued

(LiveHacking.Com) – DigiNotar’s parent company VASCO Data Security International, Inc. has admitted that a security breach in its Certificate Authority (CA) infrastructure allowed the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.

The press release goes on to say that “at that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time.  After being notified by [the] Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.”

As I noted yesterday, Microsoft has responded to the news by removing the DigiNotar root certificate from the Microsoft Certificate Trust List.

Mozilla has now announced that it is releasing updates for Firefox (3.6.21, 6.0.1, 7, 8 and 9) and Firefox Mobile (6.0.1, 7, 8 and 9), Thunderbird (3.1.13 and 6.0.1) and SeaMonkey (2.3.2), which will also revoke trust in DigiNotar’s root certificate. They have also posted instructions on how to manually delete the DigiNotar Root CA certificate from Firefox.

Also Google has now released Chrome 13.0.782.218 for Windows, Mac and Linux. This new version contains an updated version of the Adobe Flash Player and has disabled the DigiNotar root certificate.

Fraudulent Google.com Digital Certificate in the Wild

(LiveHacking.Com) – It has come to light that at least one fraudulent digital certificate has been issued by DigiNotar, a root certificate authority, for Google.com. The digital certificate affects the main domain and all the subdomains of Google.com and could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users.

The problem for users is that because the certificate is valid,  the web browser will not display a warning message if a user went to a fake website signed with this certificate.

Microsoft have responded to the news by removing the DigiNotar root certificate from the Microsoft Certificate Trust List. It is likely that others like Apple and Mozilla will also block this certificate in the near future.

This isn’t the firs time that a fake certificate for Google.com has been issued by a certificate authority. Back in March of this year several false certificates where issued for popular domains, including Google.com, when a hacker breached the security at Comodo.

It’s unclear, at this time, how the certificate was obtained, but it is known that DigiNotar has revoked the digital certificate in question.