Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security The Internet IT

(Possible) Diginotar Hacker Comes Forward 215

Posted by timothy from the have-in-my-hand-a-list-of-names dept.
arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"
This discussion has been archived. No new comments can be posted.

(Possible) Diginotar Hacker Comes Forward More

(Possible) Diginotar Hacker Comes Forward

Comments Filter:

  • Re:Honest question: (Score:4, Interesting)

    by bill_mcgonigle ( 4333 ) * on Tuesday September 06, 2011 @11:04AM (#37316122) Homepage Journal

    And Mozilla gave these jokers a pass while raking CACert across the coals [mozilla.org].

    That distinction is very instructive as to the real motivations of the PKI industry.

  • The difference between CACert and DigiNotar (Score:4, Interesting)

    by frehe ( 6916 ) on Tuesday September 06, 2011 @01:46PM (#37318064)

    I love this comment from Mozilla's Nelson Bolyard in that thread:

    I have no opinion about the worthyness of the particular CA being proposed in this bug. I don't know who it is yet. But my question would be:

    Does webtrust "attest" to this CA?

    I think that should be one of the criteria. PKI is about TRUST. All root CAs that are trusted for (say) SSL service are trusted EQUALLY for that service. If we let a single CA into mozilla's list of trusted CAs, and they do something that betrays the publics' trust, then there is a VERY REAL RISH that the public will lose ALL FAITH in the "security" (the lock icon) in mozilla and its derivatives.

    We don't want that to happen. If that happens, mozilla's PKI becomes nothing more than a joke. If you want to see mozilla's PKI continue to be taken seriously, you will oppose allowing unattested CAs into mozilla's list of trusted root CAs.

Slashdot Top Deals

With your bare hands?!?

Close