The attack on certificate authority (CA) Diginotar will put cyberwar near the top of the political agenda of western governments.
In an almost unprecedented event the Dutch Minister of Internal Affairs gave a press conference on Saturday night announcing that the Government revoked trust in Diginotar.
The company consisted of two seperate branches.
One branch was a CA that dealt with regular business. The other branch, PKIoverheid, focused on government.
The audit conducted on Diginotar's systems showed the integrity of the PKIoverheid authority couldn't be guaranteed. It should be presumed the integrity is broken.
At the beginning of last week the Dutch Government vouched for the integrity of the PKIoverheid CA.
This caused the browser makers to only blacklist the non-goverment CA from Diginotar. Next time around, browser makers may not be quite as trusting.
This list of rogue certificates is a very far cry from the dozen or so that Diginotar originally reported compromised.
Certs for intelligence agencies
Some attention has been put toward the rogue certificates generated for the CIA and others. No actionable intelligence would be gathered from snooping on traffic to the CIA web site.
A rogue certificate for WindowsUpdates was also issued. It's my understanding WindowsUpdates only runs programs which are digitally signed by Microsoft.
To push malware through WindowsUpdates would require a rogue certificate that also allows the attacker to sign code rather than just run SSL websites. Microsoft may have checks in place that would prevent exploitation by a rogue certificate.
This screenshot shows the *.google.com certificate also to be valid for code signing. That means this attack could transcend the browser allowing attackers to send malware to victims that would appear to orginated from Microsoft or other affected parties. At this point it becomes critical for these certificates to be blocked OS-wide, not just in the browser.
Cyberwar on the agenda
Stuxnet had a huge impact but there didn't seem to be a sense of urgency to put cyberwar and cybersecurity on most of the political agendas. The DigiNotar attack will.
So far it's not known if Apple is even planning on revoking these CAs. I don't understand why Apple is keeping radio silence on this and quite frankly it's unacceptable. Using third party web browsers and email clients is the way to go.
Diginotar was excommunicated because it didn't disclose the breach. With some 500 authorities out there, it's hard to believe Diginotar is the only compromised CA. This should serve as a very strong message for CAs to go public with any breach.