Google one of many victims in SSL certificate hack

Fraudulent SSL and EVSSL certificates were issued for several dozen other websites

A Dutch company that issues digital certificates used to authenticate websites said late Tuesday that several dozen other websites in addition to Google have been affected by a security breach.

The company, DigiNotar, issues SSL (Secure Sockets Layer) and EVSSL (Extended Validation) certificates, which are validated by Web browsers to ensure people are not visiting a fake website that is trying to appear legitimate.

DigiNotar is what's called a Certificate Authority (CA), an entity that sells digital certificates to legitimate website owners. But DigiNotar issued a digital certificate for the google.com domain, a mistake that could allow a skilled attacker to intercept someone's e-mail.

Google said Monday the fraudulent certificate was used and targeted users in Iran, although a security feature in its Chrome browser detected the certificate, tipping off users with a warning.

DigiNotar, a subsidiary of a security company called Vasco Data Security International, issued a statement on Monday saying it discovered on July 19 during an audit that its infrastructure used to issue the certificates had been breached.

In an interview late Tuesday afternoon, Jochem Binst, corporate communications director for Vasco, said that the attackers created fraudulent certificates for "several dozen" websites. Most were revoked after their discovery, he said.

But the digital certificate for google.com -- which was issued July 10 -- only went live on Sunday, Binst said. In its statement, Vasco said that it was notified by the Dutch Computer Emergency Response Team that it had not been revoked yet. It was finally revoked on Monday, Binst said.

It's not known how attackers breached DigiNotar's certificate-issuing infrastructure or how long they had access, but an audit is under way. "We are in the course of doing an extra audit and those findings will probably be known by the end of the week," Binst said.

DigiNotar is halting sales of digital certificates as it investigates, Binst said. DigiNotar primarily sells its digital certificates to businesses in the Netherlands.

Those businesses will have a hard time over the next few days. Google, Mozilla and Microsoft have revoked or are in the process of revoking DigiNotar's authority to vouch for its certificates. That means that people who go to websites using those certificates will likely see a warning saying the website is untrusted and should not be accessed.

Binst said DigiNotar is contacting its customers. One option to fix the problem is to have those websites switch over certificates issued by the Dutch government, although he could not say which agency would issue those replacement certificates. Another option, Binst said, is to approach the browser makers to make technical changes to honor its certificates.

Binst could not say how many customers DigiNotar has for its digital certificates, but Vasco said in its statement that the subsidiary's revenue from issuing digital certificates was less than €100,000 (US$144,000) for the first six months of this year.

Send news tips and comments to jeremy_kirk@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags intrusionGooglesecuritydata breachdata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?