DigiNotar certificate authority breach: Why it matters

There has been much speculation around the identity and motive of the hacker who was able to breach DigiNotar and issue fraudulent digital certificates for hundreds of websites, but putting such speculation aside, what is the broader significance of the incident?

There has been much speculation around the identity and motive of the hacker who was able to breach DigiNotar and issue fraudulent digital certificates for hundreds of websites, but putting such speculation aside, what is the broader significance of the incident?

With several prominent organisations being hit by data breaches in recent months, such incidents are becoming increasingly commonplace, but few carry the same importance for internet users.

The reason this particular breach stands out from others is because DigiNotar is one of the trusted root certificate authorities that underpin the trust foundation of the entire internet. As a certificate authority, DigiNotar is empowered to issue certificates that allow websites offering secure, encrypted communications to prove that they are who they say they are.

When internet users visit secure sites such as online banking sites, these digital certificates are exchanged in the background to enable secure communications to take place.

Web browsers are continually updated with a list of root authorities so that they automatically trust certificates issued by those authorities. Secure communications will not be enabled unless a website presents a valid certificate that has not expired, matches the site using it and is issued by a trusted authority.

However, a hacker with a fraudulently issued certificate that appears valid can set up a proxy server between a web user and a secure site, pretend to be that site, and therefore read all the content before passing it on to the real site.

Secure web transactions at risk

For this reason, the breach at DigiNotar is significant because it has undermined trust in secure web transactions, according to Rik Ferguson, director of security and research at security firm Trend Micro.

"As a certificate authority (CA), DigiNotar's entire business is built on a foundation of trust, and it has a duty to ensure that the security and integrity of its systems is second-to-none," he said.

According to Ferguson, the failures are numerous. First, DigiNotar made no public statement about fraudulent certificates until 30 August, six weeks after the first breaches were detected. Also, a fraudulent certificate issued for google.com on 10 July was used in Iran until 29 August, when it was finally revoked.

Investigations have revealed many basic failures in securing processes and infrastructure such weak passwords, a lack of anti-malware protection, no effective separation of critical networks and outdated or unpatched software on public-facing web servers.

What are the implications?

The industry and other CA's will now need to ask some difficult questions, said Ferguson. "When a relatively small group of organisations is trusted with assuring the identity of the rest of the web, an incident of this nature seriously undermines both public and professional confidence in the viability of the current system," he said.

Ferguson said there should be regulatory standards for an industry of this level of importance. "In the same way that organisations which handle credit cards are required to conform to payment card industry (PCI) standards, CAs should also conform to an audited minimum level of security. This would have eliminated many, hopefully all, of the failures found at DigiNotar," he said.

The incident also highlights the need for standards to be set around rapid and effective disclosure in the event of a breach. Data breach notification is mandatory in many US states, but is yet to be introduced for all organisations in Europe.

The European Commission has, however, introduced requirements for telecoms operators and internet service providers to make breaches public. The EC is currently refining guidelines on this breach notification, including how long organisations should be allowed to wait before going public, through a consultation process.

IT lawyers believe that the breach notification for telcos and the consultation process around it, which is due to close at the end of this week, are clear indications that this will soon be extended to cover all organisations in Europe.

Consensus of trust model: Convergence

Ferguson said it is likely that we will move away from the model where a single client trusts a single CA and move more towards a model that requires a consensus of trust from multiple notaries before a certificate is considered valid.

Such a model is embodied by Convergence, based on the ideas originally developed by the Perspectives Project at Carnegie Mellon University. Convergence, enabled by a Firefox browser add-on, allows web users to choose which notary they want to trust and change that at any time.

Each notary can only make security decisions for the clients that have chosen to trust it, so the security, integrity, or accuracy of a notary does not affect those who have not selected it.

Convergence is designed to be fully backward compatible with the existing deployment of certificates, and does not require website operators to change anything.

Because Convergence caches trust information locally, and has a mode to shield IP addresses from notaries when communicating with them, browsing history is kept confidential.

The aim of Convergence is to provide independence from CAs, and in the light of the DigiNotar hacking and subsequent creation of fraudulent certificates, it is worth considering.


Read more on IT risk management