Following the admission that the rogue SSL certificate that allowed attackers to impersonate Google was missed by auditors and that several dozen other certificates were created at the same time but were soon revoked, the Internet is abuzz with speculation about what other sites were targeted.
The news that Google has blacklisted 247 additional certificates in the newly released version of its Chrome browser – combined with the fact that VASCO and DigiNotar have still not shared the list of the other rogue certificates – have made the press search for other sources.
And they found one. Hans Van de Looy, founder and chief security consultant of a Dutch security security company says that a source that wished to remain anonymous has shared with him that some 200 rogue certificates were generated following the breach.
Among those were certificates for Mozilla’s add-ons site, Yahoo, the Tor Project site, WordPress and Iranian blogging service Balatarin, says the source. And while others have still not confirmed it, Computerworld reports that Mozilla acknowledged that DigiNotar had informed them about the rogue certificate issued for their site in July, and that they had revoked it a couple of days after it was issued.
Other details shared in DigiNotar’s press release also make security researchers worry.
Sophos’ Chester Wisniewski is concerned about the discrepancy between the date of issue of the certificates (Google’s was July 10) and the date of the discovery of the intrusion (July 19). Also, according to him, the issued certificates were revoked in batches through July and August – well after the breach occurred. The attackers had, consequently, plenty of time to misuse them.
Kaspersky Lab’s Roel Schouwenberg also points out that the CA said that they were not able to track which rogue certificates were generated. “Either DigiNotar performs no logging of the certificates they create or their logs got cleaned out during the attack,” he says. That means that, either way, there might be other rogue certificates out there that they don’t know about.
But, above all, what they are all greatly concerned about is the fact that DigiNotar kept this intrusion under wraps for so long. “DigiNotar’s response to this whole debacle has only made me more worried about how deep this attack may have run,” says Schouwenberg.”To me, it seems that DigiNotar has not realized certificate authorities need to sell trust above anything else.”