A Dutch certification authority (CA) name Diginotar has been hacked and the attackers issued themselves at least one rogue certificate in the name *.google.com. As a result, the attackers can impersonate google.com on the web, and thereby seamlessly eavesdrop upon communications between computers that otherwise appear encrypted and secure. At least two entities allegedly carried out this attack – first, a group known as Black.Spook and second, the Iranian government.
So how w
ould one conduct a rogue certificate attack? Well, a CA processes and vets a certificate request, and if the request appears legitimate, issues a digital certificate that ostensibly confirms that users can trust the certificate holder’s identity. If a masquerader can convince the CA that it is a legitimate entity, the CA might erroneously issue a rogue certificate. Your next question might be: OK, so why would anyone want a rogue certificate? Having a rogue certificate allows the holder to impersonate the entity named in that digital certificate. That means computers connecting to the systems of a rogue certificate holder will appear to be connecting to a legitimate domain, and the user’s browser will show a trusted, encrypted connection to the desired entity. In this case, the only entities that would be able to utilize a rogue *.google.com certificate would be ones that could reroute legitimate traffic intended for google.com through their own servers. That generally means either a rogue ISP or a government. With a rogue certificate such as *.google.com, for example, a government could conduct a number of different activities, including transparently monitoring the otherwise encrypted activities of its citizens.
In an announcement on the VASCO website (parent company of Diginotar) dated August 30, 2011, VASCO stated that the breach dated back to July 19, 2011 and that it “resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.” Stating that it “acted in accordance with all relevant rules and procedures,” the announcement goes on to explain that all rogue certificates were revoked.
This incident, combined with other recent attacks on companies that provide authentication technologies or services, indicate the increasing importance of authentication in our networked infrastructure. As more systems incorporate such mechanisms, attacks will increase as well, whether through social engineering or technology. Although specific details of the Diginotar incident have not yet been released, anyone working with certificate or credential-based technologies should be particularly aware of the possibility of these kinds of attacks and how to avoid them.
