DigiNotar is a Dutch certificate authority. It is, by default, used in most common web-browsers. After the recent events with the disclosure the DigiNotar-hack should we question the link between PKI chain-of-trust and capitalism?
Who are the real victims of this blunder? We! The consumers! The end-user! The ignorant user, installing a publicly and commonly known web-browser. The user does not know, understand or comprehend what SSL or PKI is, means or does in the background. There is an implicit trust from the end-user to the browser and it's use of the underlying PKI and chain-of-trust. The security of the chain-of-trust relies on certificate authorities issuing valid certificates in a proper manner. If there is a security breach at one CA you will undermine the entire chain-of-trust, as we have seen in the DigiNotar-hack.
The malware found on the infected servers would have been detected by common anti-virus. The servers were outdated, unpatched, no anti-virus and no secure central logging. It seems DigiNotar forgot to secure themselves.
The incident was publicly known on August 29th when rumors began spreading with Iranian ISP's using falsified issued Google certificates to monitor Iranian Internet users. In the aftermath of this incident, it has been known that DigiNotar detected a batch of 128 rogue certificates on July 19th and revoked them. On July 20th and July 27th, an additional 129 and 75 more rogue certificated were discovered. The final conclusion is they do not know how many certificates were issued. On September 1st the DigiNotar certificates were set to 'revoked' in OCSP.
When the incident was discovered on July 19th, why did 6 weeks pass before the general public was informed? The general public, the end-user, entities which have placed their trust into DigiNotar as a CA.
The incident doesn't seem to have helped the VASCO Data Security International, Inc. Stock. As many of the actors in the global PKI and chain-of-trust are private and commercial companies, can we question the Trust when these companies are driven by capitalism?
No comments:
Post a Comment