I know this is tech stuff, but it is tech stuff affecting us all, as it connectsthe largest internet company in the worls, my little country and axis-of-evil-Iran. And you all know I love connections
Short story, highly simplified and for arguments sake untruely only applied to “websites”: This week, the trusted third party “Diginotar”, which issues SSL certificates was proven to be hacked by Iranian hackers. They were able to issue themselves a valid *.google.com certificate, enabling (Iranian AND others of course) governmental men-in-the-middles to eavesdrop on i.e. gmail, without anyone being able to even detect it. Diginotar also issues certificates for next to all governmental services inclusing social security, tax office, drivers licence office, municipal services, etcetera. Furthermore certificates for tor, for the add-on site of Mozilla and god knows what else.
Long story, still not entirely correct to keep it reasonably readable. A certificate is a rather smart digital “seal” that is issued by a trusted third party (TTP) and installed in a website (again simplified, it can in essence be used for all sorts of electronic communications). The TTP issues these certificates from a sort of “mother” certificate. Browsers on the other hand, have a clever way to prove the certificate from the website the user visits is actually derived from the “mother”. Browsers issue a security warning to the user if a website uses a certfiicate that is NOT derived from a well known set of trusted mothers. Now, if a TTP runs a flawless operation, keeps the known mothers entirely safe and actually check if the requester of a certificate (say: me) is requesting a certificate for a valid host for me (say: this website [valid], google.com [most definately NOT valid]), we have an unbreakable trust triangle. TTP trusts the website owner, the user (read: the browser makers) trusts whatever the TTP’s of this world say they can trust. There are around 650 TTP’s in this world, and a few dozens of trusted “mother” certificates.
A well known trusted “mother” is “Staat der Nederlanden Root CA”, which is THE root of my country! A derived “daughter” is “DigiNotar PKIoverheid CA Overheid en Bedrijven”. This root is used by a lot of governmental websites AND commercial companies and has been compromised. The hackers have created various certificates, including one for *.google.com, and various others that are considered “high profile. Browsers, until now, have trusted this false certificate. Several browser makers have started banning this certificate, and last night, the equivalent of the home office secretary, decided to revoke said daughter certificate. By the time you read this, all website using Diginotar’s certificate will be deemed “unsafe”. Oopsie. And the worst part is of course people believing they were using a safe, encrypted, untappable gmail account being secretly spied upon (and you can bet this has been done).
Diginotar’s damage control has been horrendous. Basically they have kept things under the rug when discovered, and they didn’t even file a complaint at the Justice department. That could even been regarded as willful negligence.
Update: oh my, too much, too much (see this list)
Update: Here is the published list of compromised (read: Diginotar certified) certificates. Brace:
CN=Comodo Root CA
CN=CyberTrust Root CA
CN=DigiCert Root CA
CN=Equifax Root CA
CN=GlobalSign Root CA
CN=Thawte Root CA
CN=VeriSign Root CA