Rogue Google SSL certificate missed by auditors
VASCO Data Security International – the owner of DigiNotar, the Dutch Certificate Authority who issued the rogue SSL certificate for *.google.com domains that has allowed attackers to execute MITM attacks against Google users – has finally issued a statement regarding the incident.
“On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com,” it explains. “Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked.”
But, “recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.”
Saying that no other types of certificates were compromised, the company says that it will temporarily suspending the sale of its SSL and EVSSL certificate offerings, and that it will organize new third-party audits.
Well, let’s just hope the won’t be using the same auditing firm. I also wonder if the one rogue certificate was all that these auditors missed. F-Secure says that it wasn’t – they also missed the evidence of a number of defacements of DigiNotar’s website that were executed over the years.
Whether this will appease Mozilla, Google and Microsoft, who have already moved to remove DigiNotar as a trusted root CA from their products, only time will tell.