Google one of many victims in SSL certificate hack

Fraudulent SSL and EVSSL certificates were issued for several dozen other websites

A Dutch company that issues digital certificates used to authenticate websites said late Tuesday that several dozen other websites in addition to Google have been affected by a security breach.

The company, DigiNotar, issues SSL (Secure Sockets Layer) and EVSSL (Extended Validation) certificates, which are validated by Web browsers to ensure people are not visiting a fake website that is trying to appear legitimate.

DigiNotar is what's called a Certificate Authority (CA), an entity that sells digital certificates to legitimate website owners. But DigiNotar issued a digital certificate for the google.com domain, a mistake that could allow a skilled attacker to intercept someone's e-mail.

Google said Monday the fraudulent certificate was used and targeted users in Iran, although a security feature in its Chrome browser detected the certificate, tipping off users with a warning.

DigiNotar, a subsidiary of a security company called Vasco Data Security International, issued a statement on Monday saying it discovered on July 19 during an audit that its infrastructure used to issue the certificates had been breached.

In an interview late Tuesday afternoon, Jochem Binst, corporate communications director for Vasco, said that the attackers created fraudulent certificates for "several dozen" websites. Most were revoked after their discovery, he said.

But the digital certificate for google.com -- which was issued July 10 -- only went live on Sunday, Binst said. In its statement, Vasco said that it was notified by the Dutch Computer Emergency Response Team that it had not been revoked yet. It was finally revoked on Monday, Binst said.

It's not known how attackers breached DigiNotar's certificate-issuing infrastructure or how long they had access, but an audit is under way. "We are in the course of doing an extra audit and those findings will probably be known by the end of the week," Binst said.

DigiNotar is halting sales of digital certificates as it investigates, Binst said. DigiNotar primarily sells its digital certificates to businesses in the Netherlands.

Those businesses will have a hard time over the next few days. Google, Mozilla and Microsoft have revoked or are in the process of revoking DigiNotar's authority to vouch for its certificates. That means that people who go to websites using those certificates will likely see a warning saying the website is untrusted and should not be accessed.

Binst said DigiNotar is contacting its customers. One option to fix the problem is to have those websites switch over certificates issued by the Dutch government, although he could not say which agency would issue those replacement certificates. Another option, Binst said, is to approach the browser makers to make technical changes to honor its certificates.

Binst could not say how many customers DigiNotar has for its digital certificates, but Vasco said in its statement that the subsidiary's revenue from issuing digital certificates was less than €100,000 (US$144,000) for the first six months of this year.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionGooglesecuritydata breachdata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?