The day after the Fox-IT interim report on the DigiNotar compromise, and two days after ComodoHacker again claimed responsibility — and we are now in possession of substantially more detail about a CA compromise than we have ever previously had, which is a polite way of saying that what Fox-IT have produced is the public post-mortem the Comodo affair in March did not get.
The technical scope is bigger than any of us assumed. Fox-IT have so far identified 531 fraudulent certificates issued from DigiNotar between 10 July and 22 July, with substantial certainty that the actual figure is higher. The list of target domains is the part that has been keeping the CISO community awake. There are certs for *.google.com used in active man-in-the-middle attacks against Iranian Gmail users — that is the vector through which this was finally noticed, when an Iranian user posted a Chrome certificate-pinning warning to Google's product forum on 27 August. There are certs for *.windowsupdate.com, which is the kind of cert that supports a full update-channel man-in-the-middle. There are certs for *.cia.gov, *.mossad.gov.il, *.sis.gov.uk and *.mi6.gov.uk. The intelligence-services list is the part that has produced the loudest reaction in Westminster and similar capitals; the windowsupdate.com cert is the part that has produced the loudest reaction at the technical end. Both should be terrifying.
The geopolitical attribution writes itself. ComodoHacker claimed responsibility on Pastebin on the fifth — the same day as the Fox-IT report — repeating the lone-Iranian framing he used in March. The pastebin post claimed access to several other CAs, listed StartCom, GlobalSign, and a couple of others by name, and threatened similar issuance from those. StartCom acknowledged a probe attempt against their infrastructure that they had detected and stopped; GlobalSign suspended new issuance from their root pending review; the others have so far been quiet. Whether ComodoHacker is the same operator as in March, whether the lone-Iranian story is genuine, and whether the operation is run by IRGC or by a more loosely-affiliated technical group on contract — these are questions I do not think can be answered from outside, and I will not pretend I can answer them. What can be said is that the targeting profile, the apparent capability to compromise multiple CAs, and the Iranian-population MITM use-case are all consistent with a sustained state-grade operation.
The wider point about CA structure is now substantially harder to wave away than it was in March. There are several hundred root authorities in the Mozilla and Microsoft trust stores. Each has resellers, intermediates, and registration authorities below it. The DigiNotar compromise demonstrates that a single mid-tier CA, with operational security best described as "lacking", can issue trusted certificates for any high-value domain. The compromise is now believed to have happened in mid-July; it took six weeks for DigiNotar to detect their own breach; when they did detect it, they did not promptly disclose to the certificate-authority ecosystem, and the affected certificates remained trusted by browsers worldwide for the duration. Mozilla and Microsoft learned about the issue from the Iranian Gmail user, not from DigiNotar. That is not a sustainable model.
The Dutch dimension makes this even worse in ways that were not present in the Comodo case. DigiNotar is the issuing CA for the Dutch government's PKI, including the DigiD national authentication system used by every Dutch citizen for tax filing and similar interactions with the state. The Dutch government took the company over on the fourth, and Logius is now in the process of migrating the government PKI to a different root, which will take weeks. There is meaningful disruption to e-government services in the Netherlands as a direct consequence. This is what the structural compromise of the CA trust model looks like when it bites a state.
For the engagements I run, the operational response of the past week has been to push the certificate-pinning conversation harder than I would have without DigiNotar. For the clients with mobile applications under their direct control, pinning is now feasible and we are advising on it. For web-application clients without direct browser control, the answer is still essentially nothing useful — we can monitor the certificate-transparency logs that exist in early prototype form for unauthorised issuance, we can advise on operational vigilance, but the fundamental browser-trust model is what it is and is not going to change before the next incident. I have been telling clients to expect another DigiNotar-class incident within twelve months and to plan accordingly. I do not think this is alarmist. The structural conditions that allowed this to happen — too many CAs, too little oversight, no functional revocation infrastructure — are all unchanged.
The piece I want to think more about is the parallel with the Tunisian Internet Agency credential injection in January. In both cases, the man-in-the-middle position is what the attacker is building; the difference is at which layer the position is established. The ATI was at the carrier; ComodoHacker (or whoever is behind him) is at the certificate-authority layer. The Iranian case in particular reads as the natural successor to the Tunisian case — same defensive failure shape (unencrypted or untrusted trust chain), same target population (in-country activists), same attacker class (state-level interception). The difference is that Tunisia was a small coastal state with relatively little technical capacity, and the ATI attack was technically crude; what we are looking at with DigiNotar is the same operational intent expressed through substantially more sophisticated technical means. The defensive answer in both cases is the same — get the trust chain off the wire and beyond the carrier — but DigiNotar demonstrates that this is harder than I thought a year ago, because the trust chain itself is contested.
Next post is probably the SQL-injection methodology piece I have been delaying for nine months, unless something else breaks in the CA story. Or unless Slim Amamou finally resigns from the Tunisian government in the next ten days, which my correspondents are again telling me is imminent.