DigiNotar and SSL certificate security

Recently DigiNotar, a Netherlands based certificate authority, suffered a breach. This resulted in the forging of more than 200 SSL certificates, including Google, Yahoo, Mozilla, WordPress, etc. What is the impact of this breach?

Typically, an SSL certificate is signed by a certificate authority to verify that the SSL certificate is authentic. When someone goes to an HTTPS website, the browser verifies the signature onthe certificate. If it is from a recognized certificate authority, it accepts it. If not, the browser issues a warning to the user saying that it is not from a trusted authority.

In the case of DigiNotar, someone broke into their systems and used their certificate to sign some forged SSL certificates. For instance, if I created an SSL certificate that says that I am google.com and got it signed from a certificate authority, I could use it on my website and people visiting my website would think that they were visiting google.com. This does also require a DNS entry change that would point google.com address to my website.

If a state actor is added to the mix, this becomes a very scary scenario. A state controlled (or for that matter any) ISP can change their DNS entries to point google.com to any server that has the forged certificate. This would allow those entities to monitor all communication (Gmail, Chat, Voice, etc.) that uses google.com within the country. This can result in loss of freedom and life to people considered hostile to the state.

This is the reason certificate authorities need to keep their own certificates very secure. DigiNotar did not and is paying the price with Google, Mozilla and Microsoft removing DigiNotar from the trusted list of certificate authorities. Now, their browsers will not accept DigiNotar’s certificates automatically.

Updated September 6, 2011:
Here is the reason DigiNotar was breached.

A Dutch government review of the incident conducted by external information technology experts found that DigiNotar — whose business is ensuring digital security — had itself used weak passwords, failed to update software on its public servers and had no antivirus protection on its internal servers.

In my Aikido class, the Sensei (teacher) always talks about posture while standing, sitting or moving. The throws suddenly become a lot more effective when the posture is right. It all goes back to the basics. The more time I spend in the security industry, the more I believe that you have to get the basics right. You can get all the fancy appliances, apps and firewalls. But if you do not get the basics right, all those things are of no use.