[conspire] DigiNotar Damage Disclosure

Rick Moen rick at linuxmafia.com
Tue Sep 6 17:18:28 PDT 2011 

Quoting Edward Cherlin (echerlin at gmail.com):

> https://blog.torproject.org/blog/diginotar-damage-disclosure
> 
> About an hour ago I was contacted by the Dutch Government with more
> details about the DigiNotar Debacle. It seems that they're doing a
> great job keeping on top of things and doing the job that DigiNotar
> should've done in July. They sent a spreadsheet with a list of 531
> entries on the currently known bad DigiNotar related certificates.
[...]

Going into the weekend, I'd read some technical commentary on
behind-the-scenes skullduggery.  Unfortunately, I couldn't clearly
remember where:  It might have been on the Debian bug, or some of the
Mozilla discussion.  Anyway, I remember reading a very interesting
analysis that said that DigiNotar had _immediately_, when the scandal
broke, started moving hundreds of its cert attestations over to a
different, related certificate authority (Staat der Nerderlanden) that
they were operating for the benefit of the Dutch government.  They were
able to do this sleight of hand because of an early request from the
Dutch government that the CA chain covering its certs not be pulled from
browsers -- thus giving DigiNotar a place to stash their signatures and
sidestep the Net's vote of no confidence in their operations.


The other shoe has now dropped on _that_ matter:  The Dutch goverment
did an audit on the signings DigiNotar had done of its SSL certs, and
have now _rescinded_ their initial assessment that their certs were OK,
having been handled independently of DigiNotar's other processes.  The
government of Netherlands now says, paraphrased, 'You know, sorry.  We
were wrong.  They're bozos, and they exposed _our_ certs to compromise,
too.  Go ahead and remove trust of the rest of their signatures, too.'

There are a _lot_ of fraudulent certs, it turns out.

Anyway:
https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/


> On September 4th, 2011 Anonymous said:
> 
> In country like IRAN the gov controls DNS, so without DNSSEC they
> decide what's the IP for google.com. Even with DNSSEC or knowing the
> IP is the ISP that decides what to deliver to you. That's it, without
> ssl and good CA the bad governments can control all the Internet. See
> also WiFi cracking and MITM attacks, btw

Anonymous is not alone in pushing the extremely bad idea of merging SSL
cert validation into  DNSSEC.  But we've already covered that.

More information about the conspire mailing list