14 DAY TRIAL // DigiNotar, the Dutch Certificate Authority that issued a rogue Google certificate, confirmed suffering a security breach back in July and performing a security audit as a result.
From a statement regarding the incident issued by DigiNotar's parent company, VASCO Data Security International, it seems the DutchCA knew that hackers issued rogue certificates, but failed to revoke all of them.
"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time," VASCO said.
This does explain how the rogue *.google.com certificate ended up in the wild, but raises even more questions, like who performed the poor audit and why was this certificate missed?
Furthermore, why didn't the company come clean as soon as it happened, like Comodo did when it discovered someone issued rogue certificates in its name? And why were there still signs of a defacement on the company's website earlier today?
VASCO notes that the selling of SSL and EVSSL certificates will be suspended until DigiNotar's infrastructure undergoes multiple security audits performed by third party organizations.
However, the organization has more immediate problems to deal with, like the fact that Microsoft, Google and Mozilla have removed or will remove DigiNotar as a trusted root CA from their products.
This means that no certificate issued by DigiNotar, including one for to the Dutch government's DigiD identity system, will be recognized as valid in the world's top three browsers. Many Dutch companies that have certificates from DigiNotar will face similar issues.