|
The major web browser publishers (Mozilla, Microsoft, Google, and Apple) have removed the DigiNotar root certificate from their Certificate Trust Lists, following the theft of 500 of DigiNotar’s certificates. As a result, DigiNotar, a Dutch company, has filed bankruptcy. This is, while sad, a good thing, because it stresses how important it is that Certificate Authorities remain secure.
Wired Magazine published a good article with details of this affair. According to the article, the username that was hacked was Production/Administrator, whose password was Pr0d@dm1n. This password is only a slight variation of the username, which is a definite no-no. Yes, the password contains upper-case, lower-case, numeric, and punctuation characters, but it could have been guessed, and it’s only 9 characters long. Authorities recommend 12 characters or more. (Read Use Dropbox plus Keepass to store your passwords.) I wrote an article about DigiNotar’s breach a couple of days ago.
Tech Prognosis wrote a more detailed analysis of the DigiNotar breach, which highlighted DigiNotar’s poor IT practices.
For years, there were only a handful of Certificate Authorities, and there was little price competition between them. Now there are about 600 Certificate Authorities, and the competition is driving down the price of a certificate. I hope that the remaining Certificate Authorities take notice of what happened to DigiNotar and enforce strong internal security practices. We — and our bank balances — will be safer.
