[conspire] DigiNotar Damage Disclosure

Edward Cherlin echerlin at gmail.com
Sun Sep 4 21:44:39 PDT 2011


About an hour ago I was contacted by the Dutch Government with more
details about the DigiNotar Debacle. It seems that they're doing a
great job keeping on top of things and doing the job that DigiNotar
should've done in July. They sent a spreadsheet with a list of 531
entries on the currently known bad DigiNotar related certificates.

The list isn't pretty and I've decided that in the interest of
defenders everywhere without special connections, I'm going to
disclose it. The people that I have spoken with in the Dutch
Government agree with this course of action.

This disclosure will absolutely not help any attacker as it does not
contain the raw certificates; it is merely metadata about the
certificates that were issued. It includes who we should not trust in
the future going forward and it shows what is missing at the moment.
This is an incomplete list because DigiNotar's audit trail is

This is the list of CA roots that should probably never be trusted again:

DigiNotar Cyber CA
DigiNotar Extended Validation CA
DigiNotar Public CA 2025
DigiNotar Public CA - G2
Koninklijke Notariele Beroepsorganisatie CA
Stichting TTP Infos CA

The most egregious certs issued were for *.*.com and *.*.org

The article then points out that some of the supposed ID text in some
of these certs is actually crackers bragging in Farsi.

Of particular note is this certificate:
CN=*.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare Toro Ham
Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR

The text here appears to be be an entry like any other but it is
infact a calling card from a Farsi speaker. RamzShekaneBozorg.com is
not a valid domain as of this writing.

Thanks to an anonymous Farsi speaker, I now understand that the above
certificate is actually a comment to anyone who bothers to read
between the lines:
"RamzShekaneBozorg" is "great cracker"
"Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption"

Many other such IDs are listed in the notes. Then:

On September 4th, 2011 Anonymous said:

In country like IRAN the gov controls DNS, so without DNSSEC they
decide what's the IP for google.com. Even with DNSSEC or knowing the
IP is the ISP that decides what to deliver to you. That's it, without
ssl and good CA the bad governments can control all the Internet. See
also WiFi cracking and MITM attacks, btw

Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.

More information about the conspire mailing list