With the DigiNotar saga continuing, it's time to summarize some of the current events surrounding it.
According to multiple blog posts, Google, Mozilla and Microsoft have already banned the DigiNotar Certificate Authority in their browsers. This preemptive move comes as a direct response to the mess that DigiNotar created by issuing over 200 rogue certificates for legitimate web sites and services -- see a complete list of the affected sites and services.
Earlier this week, Google reported of attempted man-in-the-middle attacks executed against Google users, and most recently, TrendMicro offered insights into a large scale spying operation launched against Iranian web users.
According to TrendMicro:
From analysis of Smart Protection Network data, we see that a significant part of Internet users who loaded the SSL certificate verification URL of Diginotar were from Iran on August 28, 2011. On August 30, 2011 most traffic from Iran disappeared and on September 2, 2011 about all of the Iranian traffic was gone and Diginotar received mostly Dutch Internet users, as expected.
These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party. For example: a third party probably was able to read all e-mail communication an Iranian Internet user has sent with his Gmail account.
Meanwhile, the Dutch government issued a statement saying that it "cannot guarantee the security of its own websites" and is "taking over the company's (DigiNotar) operations."
"the user of government sites no longer has the guarantee ... that he is on the site where he wanted to be," Interior Minister Piet Hein Donner said at a pre-dawn press conference.
Moreover, Illinois-based VASCO, which owns the Dutch-based DigiNotar issued the following statement:
DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.
Who's behind the attacks? According to the Tor Project, clues were found in one of the certificates, including messages in Farsi:
Of particular note is this certificate:CN=*.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare Toro Ham Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR
The text here appears to be be an entry like any other but it is infact a calling card from a Farsi speaker. RamzShekaneBozorg.com is not a valid domain as of this writing.Thanks to an anonymous Farsi speaker, I now understand that the above certificate is actually a comment to anyone who bothers to read between the lines:"RamzShekaneBozorg" is "great cracker","Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption","Sare Toro Ham Mishkanam" translates to "i hate/break your head"
VASCO, the owner of DigiNotar said it plans to indefinitely suspend the sale of its traditional and extended-validation (EV) SSL certificates, until the case is solved. "The company will only restart its SSL and EV SSL certificate activities after thorough additional security audits by third-party organizations".