[conspire] DigiNotar Damage Disclosure

Edward Mokurai Cherlin mokurai at sugarlabs.org
Tue Sep 6 18:40:56 PDT 2011

On Tue, Sep 6, 2011 at 20:18, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Edward Cherlin (echerlin at gmail.com):
>> https://blog.torproject.org/blog/diginotar-damage-disclosure
>> About an hour ago I was contacted by the Dutch Government with more
>> details about the DigiNotar Debacle. It seems that they're doing a
>> great job keeping on top of things and doing the job that DigiNotar
>> should've done in July. They sent a spreadsheet with a list of 531
>> entries on the currently known bad DigiNotar related certificates.
> [...]
> Going into the weekend, I'd read some technical commentary on
> behind-the-scenes skullduggery.  Unfortunately, I couldn't clearly
> remember where:  It might have been on the Debian bug, or some of the
> Mozilla discussion.  Anyway, I remember reading a very interesting
> analysis that said that DigiNotar had _immediately_, when the scandal
> broke, started moving hundreds of its cert attestations over to a
> different, related certificate authority (Staat der Nerderlanden) that
> they were operating for the benefit of the Dutch government.  They were
> able to do this sleight of hand because of an early request from the
> Dutch government that the CA chain covering its certs not be pulled from
> browsers -- thus giving DigiNotar a place to stash their signatures and
> sidestep the Net's vote of no confidence in their operations.
> The other shoe has now dropped on _that_ matter:  The Dutch goverment
> did an audit on the signings DigiNotar had done of its SSL certs, and
> have now _rescinded_ their initial assessment that their certs were OK,
> having been handled independently of DigiNotar's other processes.  The
> government of Netherlands now says, paraphrased, 'You know, sorry.  We
> were wrong.  They're bozos, and they exposed _our_ certs to compromise,
> too.  Go ahead and remove trust of the rest of their signatures, too.'
> There are a _lot_ of fraudulent certs, it turns out.

I can't resist:

Oh, what a tangled Web we weave
When first we practice to deceive.

> Anyway:
> https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
>> On September 4th, 2011 Anonymous said:
>> In country like IRAN the gov controls DNS, so without DNSSEC they
>> decide what's the IP for google.com. Even with DNSSEC or knowing the
>> IP is the ISP that decides what to deliver to you. That's it, without
>> ssl and good CA the bad governments can control all the Internet. See
>> also WiFi cracking and MITM attacks, btw
> Anonymous is not alone in pushing the extremely bad idea of merging SSL
> cert validation into  DNSSEC.  But we've already covered that.

Leaving aside the anonymous bozo's suggested remedy, I meant to
highlight the fact that many on the Web are vulnerable to bad actors,
particularly when it is their own government enabling or even hiring

FLOSS Manuals (a name that is widely ridiculed; I didn't choose it) is
considering how to deal with this problem in its Circumvention manual,
How to Bypass Internet Censorship. This goes far beyond censorship, of
course. Anybody with useful knowledge is welcome to contribute.
Although I am one of the original authors of this book, and although I
found a math error in the original RSA paper on public-key
cryptography, I consider myself a technopeasant when it comes to
_practical_ issues of evading actors this bad in national governments.
Can Iran certify itself to Iranians as the operator of numerous Tor
Onion Routers? What does the Iranian circumventor do in this case?

PS Rick, thanks for reminding me to move my subscription.

Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.

More information about the conspire mailing list