Rough outline: A user applies for a certificate with his public key at a registration authority (RA). The latter confirms the user’s identity to the certification authority (CA) which in turn issues the certificate. The user can then digitally sign a contract using his new certificate. His identity is then checked by the contracting party with a validation authority (VA) which again receives information about issued certificates by the certification authority.
This could be the start of the unraveling of web commerce.
When your browser communicates with a website using SSL (Secure Socket Layer) encryption, its address bar indicates the Hypertext Transfer Protocol Secure (HTTPS) protocol. You assume that the merchant, bank, or agency is who they claim to be. At the heart of HTTPS is a digital certificate that’s issued by a Certificate Authority.
A few months ago, a small Dutch Certificate Authority, DigiNotar, was successfully attacked and certificates stolen from it. The hackers used these certificates to forge certificates for roughly 50 websites. The forged certificates, to an innocent web user, appear to be 100% legitimate. Worse, once they’d discovered the theft, DigiNotar tried to keep the theft secret for more than a month. Without telling anyone, they tried to revoke some of the forged certificates.
The thieves had big ambitions. Some of the forged certificates were for the CIA, Israeli Mossad, and the Dutch MI6. Article: DigiNotar’s stolen certificates used to sign forged certificates for domains of spy agencies
The industry takes action
Mozilla responded first by tightening Firefox’s certificate security, and recently its Firefox web browser simply refuses to accept any certificates that are signed by DigiNotar.
Microsoft has responded within its latest update. It appears that the latest updates to Internet Explorer 8 simply will not accept expired certificates.
DigiNotar’s certificates have been revoked by the major players (Dutch government, Google, Microsoft, Apple, Mozilla, et al). Any site that owns a DigiNotar certificate will need to buy a new certificate elsewhere (from VeriSign, et al). Effectively, DigiNotar has been put out of business. The breach was one thing, but not revealing the breach immediately was unforgivable.
Will this happen again?
This breach points out just how precarious the whole Internet web security structure is. An unreported breach of a Certificate Authority is the worst possible thing that can happen to bring down this house of cards. Certificates have traditionally been fairly expensive, so competition will bring more Certificate Authorities to the market, and with more players, the possibility of a breach increases.