Chain of trust broken by compromised root certificate, updates to control the damage

The entire online media is buzzing around the recent incident of the fraudulent digital certificate issued by the Dutch company Diginotar. Diginotar is a certification authority present in the Trusted Root Certification Authorities Store of Windows and of many browsers. Such a fraudulent certificate has been issues for the domain .google.com in order to fake the Google subdomains such as mail.google.com, plus.google.com, docs.google.com and others, to perform phishing attacks, or perform man-in-the-middle attacks against all browsers. Even though it is very hard (but not impossible) to perform a fake of such proportions for these well known domains, the problem is another one. Diginotar has broken the chain of trust in the digital certification industry. This means, that they lost their credibility and with them, all certificates that they have ever issued. According to the company’s press release, the damages produced are low, but it seems that only they believe this.

In order to reduce the potential damage, there have been a series of browsers updates which removed the Diginotar’s certificate from the list of root certificates available in the Certificate Trust List of the browser. Even more, Microsoft issued a Security Advisory which informs the users that the same operation has been performed in all Windows  versions starting from Vista. According to the company, users of these operating systems will be presented with an invalid certificate error when they browse to a web site or try to install programs signed by the Diginotar root certificate.

It is advisable that in these cases that the users follow the instructions in the message (to not trust the website). Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Even though the problem does not come from the browsers or operating system, all vendors released updates which invalidate the compromised root certificate.

Mozilla released an update to Firefox for Desktop, Thunderbird and SeaMonkey. Updates are now available for:
•    Firefox for Windows, Mac and Linux (final release)
•    Firefox for Windows, Mac and Linux (3.6.21 final release)
•    Firefox Aurora for Windows, Mac and Linux
•    Firefox Nightly for Windows, Mac and Linux
•    SeaMonkey (2.3.2)
•    Thunderbird (6.0.1)

Google released an update of the Chrome browser with version 13.0.782.218 for Windows, Mac, Linux, and Chrome Frame in order to block the respective certificate, but also which apparently blacklists other 247 certificates.

 

We strongly advise all users to update their browsers and, if using Windows, also the operating system.

 

 

Sorin Mustaca

Data Security Expert