Actu
Keynectis - Internet security fraud: Understand the recent events regarding the DigiNotar / Vasco SSL certificates
September 2011 by KEYNECTICS
For the second time this year a Certificate Authority is under the spotlight after a pirate attack that created fraudulent SSL certificates to authenticate websites falsely as valid. It once again stresses the importance of the required human, procedural and technical means necessary to ensure that such events cannot occur and that if despite all efforts, however, had an attack to occur the community knows how to react quickly.
Certification Authorities and SSL certificates: A Certificate Authority is recognized as trustworthy in browsers such as Internet Explorer, Mozilla Firefox, Apple Safari or Google Chrome after contracting with these vendors. In return the Certification Authorities must respect procedures and implement the necessary human and technical resources. The Certification Authority such as KEYNECTIS which is recognized as trusted sees its “Root” electronic certificate inserted in the browsers. The Certification Authority has the ability to create SSL certificates for organizations such as “My Favorite Bank” for example. These SSL certificates are attached to the "root" certificate. The browser trusts the certificate authority that is itself trusted SSL certificate issued and installed on a web server of My Favorite Bank. By the transitivity of trust the web browser therefore trusts the website “My Favorite Bank” www.myfavoritebank.com. An SSL certificate can therefore authenticate a website. Please also note that the exchange of information between the browser and the web server are encrypted.
The attack:
Hackers have succeeded in:
– Creating fraudulent certificates under the root DigiNotar that is recognized in browsers,
– duplicating a valid website on their own server,
– redirecting to their own server instead of the server of the valid web site
All this while displaying a valid SSL certificate.
This was only possible because the Certification Authority has presented a serious flaw in its processes. The browser vendors have since removed the root of their list DigiNotar list of trusted root certificates. End users must still update their browsers to enjoy it.
Implications: The community of Certification Authority and Internet browsers now gathered under the CAB Forum www.cabforum.org (It publishes recommendations for the procedures and means to implement it) will probably become more important in the future . The audits will become more binding. Extended Validation SSL Certificates will gradually emerge as the preferred standard of Internet users. It is likely that this incident will be fatal to DigiNotar and that all Certification Authorities will strengthen their procedures and tools. To learn more about the different types of SSL certificates, we recommend reading the guides “Tips for safe purchasing on the web”
