SSL Certificate Authority (CA) confirmed an intrusion in its infrastructure, which resulted in the fraudulent issuance of public key certificate for “a number of domains,” including Google.com.
DigiNotar, whose certificate has been revoked in browsers from Google, Mozilla and Microsoft, said that it detected the breach on July 19, 2011 and deleted the affected certificates. An external security audit verified that all fake certificates were revoked. However, the Google certificate was not deleted:
“Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.” DigiNotar said that the attack was “targeted solely at DigiNotar’s Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised.”
Vasco, the parent company of DigiNotar, told its investors that it does not expect a huge impact resulting from the security breach, as DigiNotar’s SSL business brings in less than $100,000 per year. The note is possibly a response to Google, Mozilla and Microsoft removing DigiNotar as a trusted CA in their products and a new discussion how safe CAs can be. We can’t help but think that the timing of DigiNotar’s press release is strange and we wonder why it did not provide that information when it discovered the breach back in July.
“Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.” DigiNotar said that the attack was “targeted solely at DigiNotar’s Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised.”
Vasco, the parent company of DigiNotar, told its investors that it does not expect a huge impact resulting from the security breach, as DigiNotar’s SSL business brings in less than $100,000 per year. The note is possibly a response to Google, Mozilla and Microsoft removing DigiNotar as a trusted CA in their products and a new discussion how safe CAs can be. We can’t help but think that the timing of DigiNotar’s press release is strange and we wonder why it did not provide that information when it discovered the breach back in July.
Kurt Bakke in Products on August 30
No comments:
Post a Comment