It would be interesting to know the backstory here. I wouldn't be surprised if something about the acquisition caused all the engineers to jump ship. Their one press release seems to be begging the Dutch government to provide staff http://www.sacbee.com/2011/09/02/3881380/vasco-offers-dutch-...
There was a live press conference on Dutch TV a few hours ago (“this broadcast is being interrupted…”) stating pretty much what’s written in this article:
An audit revealed that the government certificates may have been compromised and thus these have all been revoked. The government will take control over DigiNotar and will quickly replace all existing certificates.
It has now gotten to the point where Digid, the Dutch e-government single sign on has is basically saying "We're not secure" http://www.digid.nl/nieuws/artikel/artikel/89/.
Very honest stance, and certificates are to be replaced.
For the backstory, this conference was at 00:30, and interrupting the public channels only happens when there's big news, plane crashes, etc.
They have put out a statement[1], although it's in Dutch. Assuming Google's translation conveys the gist and tone of it, they seem more irritated that the browser vendors are removing the root certificates than anything else.
"Gebruikers van SSL certificaten kunnen afhankelijk van de desbetreffende browserleverancier geconfronteerd worden met een mededeling dat het certificaat niet vertrouwd wordt. Dit is in 99,9% van de gevallen onjuist, het certificaat kan wel worden vertrouwd. Dit kan handmatig door de gebruiker zelf worden aangegeven in de browser (hiervoor kunt u terecht op de FAQ op onze website)."
Translates (roughly) to this:
Depending on the browsers a user of SSL certificates may be confronted with a message stating the certificate is not trusted. In 99.9% of the cases this is not correct, the certificate can be trusted. The user can do this manually using his browser (see our FAQ).
---
Given the situation I don't think that is the right message. I think people should not be told that 99.9% of certificates can be trusted even though their computer says no.
That's terrible that they're saying that. You would expect a CA to be the last person to try to educate others to ignore those warnings. It kind of undermines their whole reason of existence.
One explanation is that they just don't understand that.
Another is that they don't give a flip about their CA business at this point because it's just a liability to them that they wish would just go away.
If they're going to have any customer left after this it's going to be gov.nl, who seems to prefer having a pwned CA to re-rooting their whole PKI setup.
That is exactly what the article comes over as. They seem to be annoyed with the fact that their roots were being pulled when they claim only a single subroot was compromised.
They are willing to give people new certificates chained to the PKIOverheid, but that comes with the rules and requirements of those certs, and looking at later news it sounds like the Dutch government has revoked their access to that and will be taking over.
Their certs are also baked into hardware and a large part of the Dutch e-Government. Diginotar has more than 10 employees. They do other things than merely signing certs.
Size of the company doesn't really matter too. If it matters we would have a single CA.
Apparently even my new passport is signed by the Diginotar PKI. I'm wondering when this will be big news in Holland.
There are 3 major CAs: VeriSign (47% share), GoDaddy (23%), Comodo (15%). So would they remove VeriSign or GoDaddy? I really doubt that, those CAs hold way too much of the market. I guess the question is: would those big CAs make the same mistake?
Relevant quote: "This is a nightmare scenario. You have to trust the companies selling these certificates and if we can't, then all bets are off." —Mikko Hyppönen, head of research at F-Secure
Symantec, who owns Verisign, has also been breached pretty badly in the past (Aurora), which they failed to disclose. No known issues with their certs, but still.
Comodo had huge issues very recently, and VeriSign's issues go back about as far as they do (providing intercept services to governments. That wasn't even an 'accident'.) Godaddy? I don't know much about what they do but I wager you wouldn't have to dig deep.
You're getting modded down because you are not providing any specifics. "Comodo had huge issues" is not a citation; it doesn't contain enough information for people to independently evaluate your claims.
Another commenter provided an actual link (and did not get modded down).
If you speak on HN and have an expectation to avoid down-voting, it is your job to back up your claims. It's not practical to Google claims for every comment.
If you speak on HN and have an expectation to avoid down-voting, it is your job to back up your claims. It's not practical to Google claims for every comment.
No, your job is to be specific enough about what you are claiming that people can independently evaluate your claims.
You could have said "Comodo suffered a compromise in March that led to 9 fraudulently-issued certs." To say they "had huge issues very recently" could mean lots of different things, and it's not specific enough to Google for (even after searching there's no way to know whether the search results are what you were talking about or not).
Lets be clear here: My job is what I am paid to do. Anything else I do I do out of the goodness of my heart.
Now, if we want to talk about what people should do while participating in a conversation, I would argue that '"just fucking google it" before posting a content-less "Citation needed" post' is fairly high on the list. Just google newsing "comodo" would have been sufficient, or as I demonstrated, searching hacker news for the same string. Hell, just googling "comodo issue" will get you great results, if you can't make that google search from my comment text...
This isn't obscure stuff, this is recent serious news.
I should hope they would! What good is a security measure when you know that it has been breached, you know that there are significant exploits in the wild, and you don't know the extent of the damage? Not removing them would destroy user trust in the security of the browser in general.
Hopefully the bigger CAs have better policies, and would inform vendors immediately. (I'm sure Diginotar had policies too, just that they probably weren't followed)
But if a CA was compromised and they didn't know the how many certificates they had issued, surely they'd have to block the root cert, if not permanently?
If you shut down one of the big boys like VeriSign you might as well shut down the Internet as far as someone like Amazon is concerned, since VeriSign issued their SSL. The entire ecommerce world would be at Challenger-level rationalization, in essence, "How do you know it will burn through the O-rings? Since we don't have enough evidence we can't shut it down!"
I think it's much more likely that lacking any evidence of widespread active fraud, ecommerce would simply go on as usual but with more trip wires to detect fraud and perhaps delayed payments to reduce the chance that money from fraudulent transactions would make its way to the bad guys. And of course, they'd switch out all the certs ASAP. It's a chance merchants and banks would be willing to take, I suspect, and sort out damages in court afterwards.
Amazon gets a new cert with a different provider and revokes the old one. Those people are pretty talented operationally. This should not be a difficult thing to do.
Given the catastrophic nature of being without a cert and the relative low cost of those, it's not hard to believe that they maintain a backup certificate, ready to switch in at a moments notice.
IMHO it's getting a little out of hand how much concern is being given to the gov.nl private PKI system and the few hundred other certs Diginotar issued where the website admins have to swap a file or two.
The big deal is the security of the whole freaking internet resting on top of this tiny little web app and server in .nl and the unknown number of actual users in .ir getting MitMd and likely horribly persecuted.
One thing to remember is that VeriSign was originally an RSA spinoff, and helped define the role and requirements of today's certificate authorities.
Granted a lot has happened since then, including the CA unit's sale to Symantec, but I'd be very, very surprised if VeriSign/Symantec handled a breach in the totally incompetent manner DigiNotar has.
Long-term, it's becoming less of an issue anyway. The market is always spreading out, and the market share of the "big boys" will continue to shrink. More CAs means more possible breaches, of course, but it also reduces the wider cost of shutting down any single CA.
(Not that I don't agree that the CA system as currently constituted has issues, I just don't think VeriSign is the big problem.)
Tell it to Mozilla, Google, Microsoft, Apple, and all the other members of the CAB forum. http://www.cabforum.org/
Point and laugh at them until they look up from counting their money long enough to realize that the entire value proposition of their business model is at risk.
"Point and laugh at [Mozilla] until they look up from counting their money long enough to realize that the entire value proposition of [Mozilla's] business model is at risk"
DigiNotar should never have been a top-level CA. They should have been a third-party CA underneath Verisign or somebody similar, with only a right to sign and verify certain certificates.
This is how most banks are setup.
There are far, far too many trusted top-level cert CA's now. The list was 3-4 long years ago, and was designed with third-party CA's just for this reason. Today you have a huge list and it changes every month
You probably know something about certificates I don't, but as I understand the code that handles this stuff, your certificate either has CA=YES or CA=NO in its basicConstraints; if it's CA=YES, you're a CA full stop.
It's the combination of having that bit -- err, DER boolean -- set and chaining to browser root cert that makes you a CA.
There isn't a provision in the scheme for them to do less than be able to sign Google, which is why the CA system is so brittle and broken.
What is the bank setup that you're thinking about? I didn't think that BankOfAmerica.com could sign its own certs for CNs under BankOfAmerica.com. Our customers include large banks and they bitch about having to work with Verisign just like everyone else.
My experience is from 10 years ago, where I set this up for a startup I worked at. This was the situation: we had built a platform for trade finance. It was like eBay but for trade paper. eg. somebody is exporting $80M worth of oil, and they need a bank to finance it. We had 500+ banks from around the world on the platform, and they would all bid for the business.
Because we were dealing with hundreds of millions of dollars worth of commitments, we needed a certificate architecture that would verify the seller, the buyer, and for each of those parties to verify the site.
I went to Verisign and asked them for the best solution, and this is what they setup:
- we had a Verisign terminal setup in the office. This was a normal computer, but locked down to only run Verisign software. It was a flavor of UNIX
- the terminal had a smart-card reader on it, and a private net connection that went only back to Verisign.
- the authentication to login to the computer was two passwords, both with secure tokens, and two smart cards
- when you login, you do the ID shuffle, which involved two people who had background checks conducted on them etc.
- we generate a certificate, which is then signed using a sub-CA certificate that Verisign issues to us
- Our certificate thus acted as a CA, but it was authorized by Verisign, so the certs that we signed would then check out using the built-in browser CA certs
This cost us hundreds of thousands of dollars to setup, and cost us hundreds of dollars for each cert we signed. When I did the due dilligence on the solution, I visited 3 london-based banks who had implemented the same system. The selling point was that we could act as a CA, but without really being a CA.
Verisign's sales pitch was that you could never become the root CA because of the stringent policies that had to be put in place (isolated networks, key generation, etc.), but for the fraction of the cost, we could sign certs using our cert which would be verified up the chain to the root CA which was Verisign
I can't stress how secure this whole procedure was. The root CA store was the holy grail - nobody that did't have the infrastructure or procedures like Verisign would get anywhere near it. I now read stories 10 years later of dodgy dutch companies with no budgets being given root CA privileges, and I am just blown away.
If these guys needed a solution to sign certs, they should have been setup with what we had, and what the other banks had, not just given placement in the root cert store. Verisign would check and double-check everything we did, and would frequently revert certs we signed where they suspected something was wrong.
With this story it seems there was a completely amateur operation given privileges to sign certs as part of a root CA.
I have 163 root CA certs on my OS X machine. 10 years ago I am certain the number was 4 or 5
note: this was so long ago that I probably have some of my terminology mixed up, but what we bought was the right to sign certs as a sub-CA of Verisign, a privileged root CA. I also got a very cool tour of Verisign which is another story.
So the only thing that kept your startup from being able to mint a certificate for *.GOOGLE.COM was the physical security of a single Unix box?
The setup you describe is actually worse than what happened with Diginotar. There's a public record of Diginotar being added to the browser roots, complete with audit statements tying PwC to attestations that Diginotar was ready to be a CA. Nobody in hindsight agrees that a good decision was made there, but at least we know it was made.
There is no way to account for Verisign signing CA=YES keys for private companies as a convenience; we can only trust Verisign when it says "anything we do with our private key we do with security measures adequate to the task of protecting the entire Internet". Well, I don't want to pin the safety of the entire Internet on Verisign's ability to secure a Unix box they don't even have physical custody over.
Diginotar isn't what upsets me about the browser CA situation. Subordinate CAs are.
It wouldn't insta-sign. It would go back to Verisign and they would do authorization against our client database. They called the client every time and did a number of checks.
We were just acting as an intermediary CA, which I think is a better setup than a bank acting as a root CA (as Wells Fargo et al are now) since we had Verisign looking over our shoulder seeing which certificates we signed and not being afraid to revoke
So as I saw this situation, if they were setup as an intermediate CA, when the signing went up the chain it would have been noticed - rather than a cert being signed and instantly being verified by all browsers
The way I read his tale, it sounds like VeriSign may have kept the signing keys for his intermediate CA, and their onsite secure terminal just submitted CSRs back to VeriSign and got the signed certificates back. VeriSign was then in a position to enforce the policy that no certs get signed for anything outside of the domains that should be signed.
I thought so too, but then I read "can't be a root CA because of stringent policies, isolated networks, key generation" and felt he was writing about the weird machine they put on their prem.
>we can only trust Verisign when it says "anything we do with our private key we do with security measures adequate to the task of protecting the entire Internet".
like we trust with the same to any other CA in the browser trusted root store.
Should everyone and his mom be allowed to create certificates? No.
Should we limit ourselves to 'the big players' in the US? No. That would drastically reduce the competition and make certificates far more expensive again. One could claim that quality has it's price, cheap competition probably cuts costs in the process, yadda yadda. I don't buy it.
Give me a list of 20-30 CAs over 3 every day. I don't care about the number that much.
What I would like to see is
- a site where I can get information on the usage, origin and track record of CAs
- a site where I can see where a a CA is based. A lot of people are already removing CAs from China. Different places of the world have different trust values already (and, frankly, the US is not high on my list of 'trusted' places. I very much know that we're discussing a big failure of a dutch CA here, but I'd usually prefer to trust a CA from the EU or Switzerland instead of an US one).
"DigiNotar should never have been a top-level CA. They should have been a third-party CA underneath Verisign or somebody similar"
Look at it from the position of the Dutch government (or any other government): Who would you trust to digitally sign passports and crucial government communications? (Which is what the Diginotar certificates are being used for). No government would like the idea of being at the mercy of a foreign entity they cannot control.
>Who would you trust to digitally sign passports and crucial government communications?
Myself. I don't understand why governments don't become their own CAs, limited to issuing certificates for official websites and documents.
Of course, it would be better if browsers could limit CA trust to certain domains and subdomains (for example, the Portuguese govt CA should only be trusted for .gov.pt domains) to prevent abuse, but on the other hand we all know that if a govt is dirty enough to abuse that they'd be able to pressure some national CA into issuing it.
Nobody seems to ask why should I trust DigiNotar or Verisign or whatever? I do not know them myself to trust them in the first place.
So why should I trust them through Mozilla? Or Google? I don't know enough to trust them either...
The whole pyramid trust scheme is broken.
If you don't trust your browser, then you've already lost, since your browser ipso facto sees the unencrypted form of all your web traffic, both incoming and outgoing. Not only that, but it's running native code on your machine!
I agree. That's why I go mostly with open software. If I care enough I'll go and get my hands dirty with code.
However I trust open source because people _I know_ told me they are trust-able not because of a higher authority.
I trust Amazon because friends of mine are satisfied customers and not because Verisign says so.
Sure. But one important point here: Verisign doesn't tell you to trust Amazon.
What Verisign can tell you is that you can trust that the server you're talking to right now is in fact affiliated with Amazon (in the case of EV certs) or corresponds to the hostname in your URL bar (in the case of regular certs). As long as no certificates got stolen, no one mis-issues certificates, etc....
It would be interesting to know the backstory here. I wouldn't be surprised if something about the acquisition caused all the engineers to jump ship. Their one press release seems to be begging the Dutch government to provide staff http://www.sacbee.com/2011/09/02/3881380/vasco-offers-dutch-...