DigiNotar SSL Certificates Revoked by Google and Mozilla

The latest stable version of Google Chrome (13.0.782.220) rejects SSL certificates issued by the Dutch firm DigiNotar as does the yet-to-be-released Mozilla Firefox 6.0.2. (Mozilla will also release an update to the 3.6 line: Firefox 3.6.22. My tests indicate this version also revokes DigiNotar as an SSL authority.)

This drastic action comes in the wake of reports that DigiNotar was tricked (hacked) into issuing over over 200 fraudulent SSL certificates.

As of the time of this writing, Internet Explorer 9 (9.0.8112.16521, a.k.a. 9.0.2) and Opera 11.51 build 1087 both allow access to https://www.diginotar.com/ which is blocked by the latest Chrome and Firefox versions.

Update (September 6, 13:21 EDT, US): I just got a Windows Update that makes Internet Explorer 8 (8.0.60001.18702) on Windows XP reject the SSL certificate for https://www.diginotar.com. Also got an update for Windows 7 (KB2607712) that resolves the issue on IE9. We’re making progress!

Update (September 6, 19:26 EDT, US): Finally got a chance to check Internet Explorer 9 on my Vista install at home.  The same optional update (KB2607712) is available for IE 9 and resolves the issue.

On a related note, the domain mozilla.com is redirecting to mozilla.org this morning. (And yes, they are still offering Firefox 6.0.1.)

Update (September 6, 19:33 EDT, US): the redirect to mozilla.org is still active, but Firefox 6.0.2 has been officially released and is available from http://www.mozilla.org/ as has been Firefox 3.6.22 (available from http://www.mozilla.org/en-US/firefox/all-older.html).

Among the domains targeted by the SSL certificate thieves are the sites of several intelligence agencies.

According to some sources, the SSL authority’s site may have been breached in May 2011. Others conjecture that the latest hack is a second event, perhaps by a different group/individual.

All in all, Internet gets scarier every day!


Leave a Comment