It started with a lack of security, it ended with its doom. Lack of basic security and sandboxing systems as well as the failure to disclose the hack led to the demise of DigiNotar. Following the DigiNotar debacle makes it clear that all companies should secure their servers, especially when it comes to Certificates Authorities (CA)
As the aftermath of the DigiNotar fiesco, major company companies, including Google, Mozilla (publisher of Firefox), and Microsoft, have excommunited the company and removed root cerficates operated by DigiNotar from the list of trusted root certificates. It first started when Google received reports of a fake Google certificates being used for man in the middle attacks. Google quickly removed DigiNotar from its list of trusted certificates. Firefox and Microsoft quickly follow suite, with Mozilla releasing a new version of Firefox that no longer have DigiNotar in its root cerficates list and Microsoft removing DigiNotar from its online list of root cerficates (this list is used by Windows Vista and later). Late to the party, Opera finally disables DigiNotar as a root cerficates. For now, the user still have to manually remove the DigiNotar Root CA if it exists in his/her copy of Opera. Opera Software implies that new installations of Opera (that is, when installing Opera onto systems that did not have it installed previously) will not include the DigiNotar Root CA by default. Opera recommends that if you visit a site with a DigiNotar-issued certificate and it triggers an "Unknown issuer" dialog, click "Reject".
It seems Microsoft flicked the kill switch on DigiNotar and release an update that has revokes the trust of the following DigiNotar root certificates and placed them in the list of untrusted certificates:
- DigiNotar Root CA
- DigiNotar Root CA G2
- DigiNotar PKIoverheid CA Overheid
- DigiNotar PKIoverheid CA Organisatie - G2
- DigiNotar PKIoverheid CA Overheid en Bedrijven
Windows users are now prevented from accessing sites with SSL certificates issued by DigiNotar instead of being presented with a certificate warning.
Previously, users going to sites using the DigiNotar cerficate is presented with an error screen with the option to continue as shown:
However, after the application of the update, the option to continue has been removed:
To test this behavior go to the https version of the DigiNotar's website.
According to Sophos Naked Security blog post Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable, all Windows users using automatic updates will apply this update and reboot may be required depending on the operating system installed (Windows XP required reboot, Windows 7 did not). However, on request from the Dutch government, Microsoft has delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally). This will give time for the Dutch websites to swap all their certificates to another, perhaps more trustworthing certificate authority. Therefore, the user would have to manually run Microsoft Update to receive the patch.
See http://www.microsoft.com/technet/security/advisory/2607712.mspx for more details.
Conclusion to the fiesco (hopefully )
With all the major companies, apart from Apple, distrusting DigiNotar and the company taken over by the Dutch Government, is this the end for DigiNotar as we know it?
The grim reaper picture is taken from Mytattoosucks.com's post Death Personified - The Grim Reaper Tattoo. This user neither have a tattoo nor advocate tatooing.