Rogue Google SSL certificate missed by auditors
Posted on 30 August 2011.
VASCO Data Security International - the owner of DigiNotar, the Dutch Certificate Authority who issued the rogue SSL certificate for * domains that has allowed attackers to execute MITM attacks against Google users - has finally issued a statement regarding the incident.

"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including," it explains. "Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked."

But, "recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."

Saying that no other types of certificates were compromised, the company says that it will temporarily suspending the sale of its SSL and EVSSL certificate offerings, and that it will organize new third-party audits.

Well, let's just hope the won't be using the same auditing firm. I also wonder if the one rogue certificate was all that these auditors missed. F-Secure says that it wasn't - they also missed the evidence of a number of defacements of DigiNotar's website that were executed over the years.

Whether this will appease Mozilla, Google and Microsoft, who have already moved to remove DigiNotar as a trusted root CA from their products, only time will tell.


How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Sep 19th