This should provide a wake-up call to the industry.
The major web browser publishers (Mozilla, Microsoft, Google, and Apple) have removed the DigiNotar root certificate from their Certificate Trust Lists, following the theft of 500 of DigiNotar’s certificates. As a result, DigiNotar, a Dutch company, has filed bankruptcy. This is, while sad, a good thing, because it stresses how important it is that Certificate Authorities remain secure.
Wired Magazine published a good article with details of this affair. According to the article, the username that was hacked was Production/Administrator, whose password was Pr0d@dm1n. This password is only a slight variation of the username, which is a definite no-no. Yes, the password contains upper-case, lower-case, numeric, and punctuation characters, but it could have been guessed, and it’s only 9 characters long. Authorities recommend 12 characters or more. (Read Use Dropbox plus Keepass to store your passwords.) I wrote an article about DigiNotar’s breach a couple of days ago.
Tech Prognosis wrote a more detailed analysis of the DigiNotar breach, which highlighted DigiNotar’s poor IT practices.
For years, there were only a handful of Certificate Authorities, and there was little price competition between them. Now there are about 600 Certificate Authorities, and the competition is driving down the price of a certificate. I hope that the remaining Certificate Authorities take notice of what happened to DigiNotar and enforce strong internal security practices. We — and our bank balances — will be safer.