This article has been updated as new mitigation measures have been announced.
Computer World, F-Secure, and others have reported that attackers have obtained a digital certificate from DigiNotar, a Dutch certificate provider, for the domain .google.com. Owning a certificate of this kind allows an attacker to impersonate servers or intercept traffic between users who trust the SSL certificate for a third level label such as "mail" or "doc" or "plus". In plain speak, an attacker can potentially capture (or alter) what you send, post or publish in Gmail, Google Docs or Google+.
Microsoft quickly issued an advisory and removed the DigiNotar root certificate from the list of trusted root certificates on Windows Vista and above. They updated Advisory 2607712 on 6 September to render all DigiNotar certificates to be untrustworthy and to moved the certificates to the Untrusted Certificate Store. Mozilla has published removal instructions here. Google reports that Chrome was able to detect the fraudulent certificate.
Mac users must remove the root certificate from the OS X Keychain. The folks at Coriolus Systems have published an easy to follow set of instructions to use Keychain Access to mark the DigiNotar Root CA as not trusted for all users here.
Take a moment to mitigate this threat
On Friday 9 September, Apple issued Mac OS X Security Update 2011-005 (Article: HT4920). The Update removes DigiNotar from the list of trusted root certificates and from the list of Extended Validation (EV) certificate authorities. It also configures default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
Some folks question whether this is a case of using a hacksaw when a scalpel might be more appropriate.
There's little choice.
Previously, I wrote that until DigiNotar discloses the list of fraudulently issued domains, the prudent alternative is to treat any certificate issued by this root certificate authority as not trusted. It now appears that over 500 SSL certificates were fraudently issued, including intelligence agency domains and other high profile brands (Microsoft, Android, AOL and more). The Dutch government's CERT (GovCERT.NL) has denounced trust in DigiNotar certificates and has issued a Fact Sheet with additional details. Lastly, Fox IT has published an interesting interim report on the DigiNotar breach that is well worth reading.
Comments
You can follow this conversation by subscribing to the comment feed for this post.