The European Network and Information Security Agency (ENISA) has released a report examining the hack against certificate authority (CA) Diginotar that ultimately led to company's demise.
In August, a falsely issued Google SSL certificate was discovered by an Iranian freelance web developer, which lead to an investigation of the DigiNotar's system security.
The investigation revealed that DigiNotar may have issued more than 500 rogue digital certificates after being compromised by criminal hackers largely believed to be based in Iran.
Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.
An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.
"SSL (Secure Sockets Layer) certificates are used in the https protocol to secure digital communications, such as web browsing, email and machine-to-machine communications (web services), and to create electronic signatures. DNSSEC (Domain Name System Security) also relies on SSL certificates. False certificates can be used for example to intercept private emails, execute fraudulent banking transactions, or create false digital signatures," the ENISA report explains.
Early reports indicated that the bogus digital certificates may have been part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks and gather intelligence on Iranian opposition groups.
"MITM attack, besides false SSL certificates, the attacker needs to be able to intercept and modify IP traffic. In general this can be done by using a rogue hotspot, by poisoning the DNS cache or ARP cache, by using malware on the victim’s machine, or by accessing the traffic at ISPs directly," the report states.
In September The Board of the Independent Post and Telecommunications Authority, a Dutch regulatory agency, barred DigiNotar from issuing any new digital certificates and a Dutch Court appointed a bankruptcy trustee to take over the management of all of DigiNotar’s business activities.
VASCO Data Security International subsequently announced that subsidiary DigiNotar, filed a voluntary bankruptcy petition.
The ENISA report identified three major areas of concern:
1. No immediate incident reporting: DigiNotar did not immediately report the cyber-attack to customers or government authorities, which put the security and privacy of millions of citizens at risk. Immediate reporting of the incident and a swift response would have limited the impact considerably.
2. Fundamental weaknesses in the design of HTTPS: In the current setup, browsers and operating systems (e.g. Microsoft’s certificate store) place trust by default in a large number of CAs (hundreds) by default, so a failure with one of them creates a risk for all users and all websites. The security of HTTPS equates to the security of the weakest CA. HTTPS should be modernized, to be more resilient against attacks and more user-friendly.
3. Failure to implement basic security measures: The Fox-IT report shows that basic security measures were not taken. It is imperative that service providers, like CAs, which play such a critical role in today’s digital society, adhere to best practices. The attack highlights the importance of enforcing basic security best practices.
Attempts to improve SSL security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.
"Diginotar did not have a record of all the rogue certificates that were created by the attacker, so the only remedy was to remove the root certificate of Diginotar from all the browsers. This was a major issue for many websites," the ENISA report states.
ENISA suggests several areas for improvement in the Digital Certificate sector, including improved design and implementation of HTTPS, more robust security standards, and improved incident reporting.
"The Diginotar attack was an attack on the foundations of secure electronic communications (email, web browsing, web services). The above-mentioned issues should be addressed by industry and governments, to guarantee the security of service in the digital society," the ENISA report states.
The full ENISA Operation Black Tulip report can be found here: