The Board of the Independent Post and Telecommunications Authority, a Dutch regulatory agency, has barred certificate authority (CA) DigiNotar from issuing new digital certificates in the wake of an embarrassing breach of security.
Two weeks ago a falsely issued Google SSL certificate was been discovered by Ali Borhani, an Iranian freelance web developer, which lead to an investigation of the DigiNotar's system security.
According to a report in SoftPedia, DigiNotar may have issued hundreds of rogue digital certificates aside from the Google certificate discovered by Borhani after being compromised by criminal hackers largely believed to be based in Iran.
Early reports indicated that the bogus digital certificates may have been part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks and gather intelligence on Iranian opposition groups.
Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.
"Signs of hacker activity (using administrative rights) found on the CA server used for the issuance of qualified certificates. This means that an unauthorized third party (hacker) has been active on the CA server that is used for issuing qualified certificates. Using administrative rights of a data server can be manipulated on the server, removed or removed. The integrity of the data on the CA server that is used for production and issuance of qualified certificates is therefore impossible to guarantee," the Dutch report states.
Security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates. The actions by Dutch regulators may be a sign of things to come.
The lack of accountability in the industry could increasingly lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.
An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.
Attempts to improve SSL security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.