14 DAY TRIAL // Dutch Certificate Authority DigiNotar possibly issued hundreds of rogue SSL certificates in addition to the *.google.com one, if the changes in Google Chrome's code are any indication.
DigiNotar's parent company, VASCO Data Security International, admitted yesterday that its Dutch subsidiary suffered a security breach back in July resulting in the issuing of rogue certificates.
"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time," VASCO said.
Aside from the obvious questions like why wasn't the rogue *.google.com cert discovered and revoked following the audit or why were hackers able to issue certificates in the first place, people were left wondering exactly how many fraudulent certificates had been generated.
The company did not release an official number and kept silent on many details, prompting Google and Mozilla to remove the DigiNotar CA cert from Chrome and Firefox.
This should render all certs signed by DigiNotar untrusted, but Chrome's hardcoded certificate blacklist actually increased by 247 entries. What do these represent? "Bad DigiNotar leaf certificates for non-Google sites," according to code comments left by the developers.
It's hard to believe that the DigiNotar hackers issued 247 rogue certificates, because that would mean that a large number of websites have been targeted by whoever ordered this attack. It might, however, be true.
When a Comodo reseller was hacked back in March and its infrastructure was used to issue rogue certs for Google, Hotmail, Yahoo and other sites, Chrome's blacklist increased with just 10 certs. The high number might also explain why DigiNotar missed one.