Keeping Secrets Leads to Betrayal of Trust
Paul Henry - September 6th, 2011
Microsoft, Google and Mozilla and have all now blocked SSL certificates from DigiNotar with complete revocation of trust – simply put, all certificates issued by DigiNotar are no longer accepted as trusted by the Internet’s primary browser vendors. It’s important to note that the certificate revocation from Microsoft includes Windows 7, Windows Vista and now Windows XP. Microsoft released updates to protect Vista and later operating systems on August 29th and released updates today for Windows XP users. Microsoft is encouraging users to update sooner than later to mitigate the associated risk.
Why such a strong response?
Apparently vendors feel blindsided by the lack of communication from DigiNotar after learning that up to 6 weeks ago DigiNotar revoked a number of fraudulent certificates – without notifying browser vendors. It is difficult to place trust in a company’s certificates when the company itself perhaps lacks trust.
It is more a matter of how they handled the issue at DigiNotar. When your business is supposed to be entrusted to keep Internet communications secret it’s not a good idea to keep it a secret when you yourself are having issues. In the previous certificate issued at Comodo, the CA worked with browser vendors to contain the issue by blocking a known set of mis-issued certificates and immediately reported the issue to browser vendors.
What about Apple?
Déjà vu – Remembering the Comodo issue, Apple was nearly a month behind other browser vendors in providing a patch to address the issue for their customers. Apple has remained relatively quiet on the DigiNotar issue too and no patch has been released yet to deal with the issue. Further deleting the certificates manually is difficult and in some cases has been found to be ineffective. For now Apple users will have to manually revoke trust on the DigiNotar certificates as detailed on numerous blog posts. However that in itself may not be enough. In my personal experience, Safari will continue to accept an untrusted DigiNotar certificate without warning.
To be afforded any protection when using Safari, users have to actually remove the certificate from the Apple keychain. Revoking the certificates within the Apple Keychain can also in some cases be ineffective.
What will happen in the short term?
Websites will be scrambling to replace certificates while users will have to get used to seeing browser alerts for untrusted certificates until they are replaced. It is important to remember that a large number of “bad” certificates are now being used on the Internet and in the wrong hands they can be used to capture otherwise confidential communications – do not simply hit “Continue to this website” or “Proceed Anyway”. Doing so could mean exposing your sensitive communications.
Apple related links on the issue