DigiNotar goes bust
Digital certificate authorities everywhere be warned: Hackers can destroy you. Today parent company VASCO Data Security announced that DigiNotar has been declared bankrupt. The action comes after weeks of controversy, following an intrusion that allowed a hacker to distribute more than 500 rogue digital certificates. Browser makers like Google and Microsoft responded by blocking DigiNotar certificates, thus cutting off the company's lifeline. The question now: Who's next?
DigiNotar's problems started in late August, when the first rogue certificates appeared. After Google and Microsoft suspended -- that is "untrusted" -- DigiNotar, the CA suspended issuing certificates. Two weeks ago, a hacker using the handle COMODOHACKER took responsibility for the security breach, claiming to have distributed 531 rogue certificates and to have breached five other certificate authorities. Now that he (or she) has essentially destroyed DigiNotar, will COMODOHACKER move on to the others? Or perhaps other CAs have tightened security since the DigiNotar breach.
Mozilla demanded they do. The open-source browser maker issued an ultimatum to all CAs, which must provide certain assurances and also make changes to restore the organization's trust in them and the certificates they issue. Mozilla set a September 16 deadline, and now may block non-compliant CAs. The aggressive posture is meant to restore trust, and for good reason. Once afraid, people aren't quite to trust. Digital Certificates are all about establishing and maintaining trust -- that websites are safe, secure and who they say they are.
DigiNotar's problem was broken trust and difficulty posed re-establishing it. Google, Microsoft, Mozilla and other browser makers have to be concerned as much about their reputations -- who will trust them -- even more than DigiNotar's ability to secure its site from future intrusion.
The bankruptcy filing is also about protecting VASCO's trust, as CEO T. Kendall Hunt alludes in a statement: "Although we are saddened by this action and the circumstances that necessitated it, we would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business".
Guilt by association is the risk facing VASCO, something the company has clearly decided to avoid. Hunt says that the bankruptcy filing will bring DigiNotar to an "appropriate conclusion" and that VASCO would "cooperate with the Dutch government in its investigation of the person or persons responsible for the attack on DigiNotar".
VASCO executives can't seem to say enough how much its business and technology is separate from DigiNotar's. In a separate statement, VASCO President Jan Valcke says the bankruptcy "does not involve VASCO’s core two-factor authentication business". However, "we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform. As a result, we expect to be able to offer a stronger authentication product line in the coming year to our traditional customers". In other words, a new VASCO certificate authority will soon replace DigiNotar.
DigiNotar's bankruptcy filing was yesterday, and the subsidiary declared bankrupt today. Not being an expert on Dutch law, I make presumptions now based on yet another statement, this one from VASCO CFO Cliff Bown. In the United States, companies sometimes use bankruptcy as a means of shielding against damages in legal claims. I presume VASCO is taking a similar approach here by ending DigiNotar operations through a bankruptcy filing. Surely someone will sue.
"We are working to quantify the damages caused by the hacker’s intrusion into DigiNotar’s system and will provide an estimate of the range of losses as soon as possible", Bown says. "While the losses associated with DigiNotar are expected to be significant, we do not expect, given the manner in which the acquisition of DigiNotar was structured, that the value of all of the intangible assets acquired will be fully impaired".
As part of the damages assessment, VASCO clearly hopes to preserve DigiNotar's core value for future products: "We expect that a significant portion of the value assigned to the intellectual property acquired from DigiNotar to continue to have value as we incorporate the technology into our existing product line", Bown said.