On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR
statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes.
Why Do We Care?
Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable.
DigiNotar has been very tight-lipped about the problem. They have issued only one press release about the situation, and what’s in the press release does not correspond to other observable facts, such as the content of their Certificate Revocation List. Swa Frantzen at SANS and Jonathan Nightingale from Mozilla have both written excellent explanations of why DigiNotar’s response has been lacking.
Because so many fraudulent certificates for so many high-value domains were issued (such as for yahoo.com), and there doesn’t seem to be a trustworthy list of the fraudulent certificates, there is a high risk that other sites may have been compromised and the end user would not be able to tell. The biggest risk to most users is identity theft by phishing of passwords. This could then lead to other compromises and eventually financial losses.
In addition, users in Iran and other countries with totalitarian governments should also be concerned that their communications may have been compromised.
A nice writeup and a utility to remove the Diginotar.nl root certificates from your MAC can be found at http://ps-enable.com/articles/diginotar-revoke-trust