- Google Online Security: An update on attempted man-in-the-middle attacks
- Operation Black Tulip: Fox IT's report on the DigiNotar breach
- F-Secure blog: DigiNotar hacker comes out
- (Sophos) Naked Security: Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable
- (Sophos) Naked Security: Firefox 6.0.2 fixes yet more DigiNotar certificate fallout
One of the generally trusted certificate authorities (DigiNotar) failed to protect its services and was compromised. There now exists DigiNotar signed certificates in the wild free for attackers to use for several online and software update services including companies such as Microsoft, Google and organisations like Mozilla(Firefox). This means that if your operating system or browser certificate stores are not updated, your device is vulnerable to attacks based on these certificates. Attacks can for example install malware on your computer in the form of updates or collect your passwords for various services.But since most of the operating system and browser vendors already reacted and I have installed updates I am now secure, right?
No you are not. While most of the operating system and browser have removed the CA certificate in question we still have a huge number of devices which may have those CA certificates installed -- the mobile devices. I have not yet received an update for my Android phone (Samsung Google Nexus S) and I think it is pretty much the same for all other mobile phone vendors too, Windows Phones, old and new S40, Symbian, Maemo phones and iPhones included. And it does not even stop to mobile phones, nowadays we have already tablets and all kinds of embedded devices, which may have the operating system included certs installed. Our mobile devices continue to be vulnerable to those leaked certificates and in most cases the users cannot even check or do anything to remove the certificates!
One glimmer of hope is that DigiNotar has not perhaps been in all mobile devices' CA certificate storage, but then again we still have Comodo there and now GlobalSign has stopped signing certificates and is checking their systems for intrusion. Another glimmer of hope is that maybe perhaps now industry will take a closer look at the current certificate authority structure and the system will be improved or fixed for example like Moxie Marlinspike suggests.