14 DAY TRIAL // Google and Mozilla have released updates to Chrome and Firefox in order to remove the root certificate of DigiNotar, the hacked Dutch Certificate Authority (CA) that failed to revoke a rogue google.com cert.
The security industry is in uproar over a rogue *.google.com SSL certificate being found in the wild and having possibly been used by the Iranian government in country-wide man-in-the-middle attacks against Gmail users.
The certificate issuer, VASCO-owned DigiNotar admitted suffering a security breach back in July which resulted in hackers issuing rogue certs for several high-profile domains.
Despite undergoing an internal investigation and an audit performed by an external party, the company failed to revoke the rogue Google certificate that was used in the wild for weeks.
The incident comes after in March an Iranian hacker broke into the network of Comodo reseller and issued several rogue certs. These two events have seriously shaken people's confidence into the CA-based PKI model.
The vendors were not going to let this one slip unpunished like they did in Comodo's case. Mozilla, Google and Microsoft quickly announced their plans to remove the DigiNotar root certificate from their products.
Mozilla and Google made good on those promises today with the release of Firefox 6.0.1, Firefox 3.6.21, and Chrome 13.0.782.218 respectively. In addition to removing the DigiNotar CA cert, the new Chrome version also updates the bundled Flash Player plug-in.
The Flash Player update in Chrome is usually an indication that a Flash security advisory is coming soon. Google has access to early Flash builds and usually updates the plug-in for security reasons.
While the vast majority of people hailed the decision to kill DigiNotar as a trusted CA, some people are not happy with the action because it will negatively impact many Dutch companies and government institutions that have DigiNotar-issued certs.