Google, Microsoft block DigiNotar for fake SSL cert, company halts all certification sales
Users of some of Google's SSL-encrypted services in Iran were the subject of man-in-the-middle attacks earlier this week, the search giant reported. The attacker was using fake SSL certificates from certification authority DigiNotar who does not officially certify Google sites. Google and Microsoft promptly blocked DigiNotar's certificates, and today it has suspended its sale of SSL and EVSSL certificates.
"We plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users," Heather Adkins, Google Information Security Manager said yesterday. "This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates."
Microsoft followed suit and issued a security warning about the issue.
"Microsoft has been able to confirm that one digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer," Microsoft's security alert says. "Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List."
This means users of all versions of Vista, Windows 7, Windows Server 2008, Firefox, and Chrome will now pop up an invalid certificate alert whenever a DigiNotar root certificate appears.
The certification company has temporarily suspended its business to correct the problem.
"The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings," an announcement from DigiNotar said on Tuesday. "The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations."
DigiNotar wanted to be especially clear that "the vast majority of its business, including the Dutch government business (PKIOverheid) was completely unaffected by the attack."
The Dutch organization today said "Major browsers like Internet Explorer and Firefox have immediately taken steps to distrust certificates by DigiNotar Root CA. The certificates that DigiNotar has issued State of the Netherlands under the Root CA will still be recognized."