Problem with DigiNotar SSL Certificates

While executing the all too familiar morning routine of a geek today – coffee, various news feeds, and mailing lists – I came across a disturbing bit of news. It turns out that DigiNotar, an SSL certificate issuer in the Netherlands (think VeriSign but less reputable), issued a wildcard SSL certificate for Google domains (*.google.com) to an unknown entity. If you understand how SSL works then you are probably not reading this post anymore and are instead deleting DigiNotar’s root certificate from all your systems.

For those who do not understand the implications of this, I urge you to read up on SSL. The salient point that you will find is that SSL certificates are only meaningful if they are signed (verified) by a central issuer that you trust. This is why your web browser gets angry when you go to your company’s QA server using HTTPS, only to find a self issued SSL certificate. Anyone can generate a self signed SSL certificate, including malicious users.

How would a malicious user take advantage of a self signed certificate, or in DigiNotar’s case, a wildcard SSL certificate for Google domains that appears legitimate? I will not rehash man-in-the-middle attacks, but you should read up on them to fully appreciate signed SSL certificates: https://www.owasp.org/index.php/Man-in-the-middle_attack. According to Google they had reports of this exact type of attack being used primarily in Iran over the last few days.

So Now What?

You should revoke DigiNotar’s root certificate from your system. Google, Microsoft, and Mozilla (Firefox) are all in the process of doing this already, since DigiNotar obviously cannot be trusted to implement a trustworthy signing process. Without the root certificate on your machine or in your web browser you will not be able to verify SSL certificates issued by DigiNotar, including the wildcard Google certificate. Instead you will get a warning much like the one you get when you use a self signed SSL certificate.

There are already plenty of instructions on Google to help you revoke a certificate from your browser. Even though browser vendors are pushing patches to revoke the certificate, you might not get the patch in time and should revoke it now.

I also removed their root certificate on all my Linux boxes (path might be Debian specific), including my servers, and you should do the same:

sudo rm /etc/ssl/certs/DigiNotar_Root_CA.pem