DigiNotar Goes Bankrupt After Hack 136
twoheadedboy writes "DigiNotar, the Dutch certificate authority which was recently at the centre of a significant hacking case, has been declared bankrupt. The CA discovered it was compromised on 19 July, leading to 531 rogue certificates being issued. It was only in August that the attacks became public knowledge. Now the company has gone bankrupt, parent firm VASCO said today. VASCO admitted the financial losses associated with the demise of DigiNotar would be 'significant.' It all goes to show how quickly a data breach can bring down a company."
Adds reader Orome1: "This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe."
Security is expensive (Score:4, Insightful)
Businesses have a strong profit motive. The people who run businesses are greedy. They will sacrifice everything, including security related expenses in order to boost profits in some way.
I think this is simply obvious.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
And with the numbers on the keypad 1-5 being shiny clean, while the remaining numbers are dirty due to never being used...
Re: (Score:2)
including the janitor.
but how else is he going to empty the trash?
sorry i had this argument with my boss a few months ago - about locking up records and bookkeeping stuff.. they wanted the GM, Me to have the keys and someone suggested giving one to the Janitor so he could empty the trash.. the fact that i had to explain how bad of an idea that is just kills me..
Re: (Score:3)
You'd be surprised, you're not alone. Yes, even convenience trumps security in a company.
I have seen the "janitor gets access" quite a few times. Even in high security areas. As soon as it would inconvenience a decision maker, security goes out the window.
What amazes me is that you succeeded. (Score:2)
I'm just amazed that you were able to get that concept through their heads. I've been in similar situations where "let us not make this too difficult" trumps real security every time.
How much does a decent password cost? Nothing.
How much does NOT using that same password everywhere cost? Nothing.
Yet we constantly see cracks where the crappy password was used on multiple, critical systems.
Re: (Score:2)
You are forgetting the cost of education people, so they know why a weak password is a bad idea.
So it doesn't cost nothing.
However, the benefits certainly outweigh the costs.
But that's the problem : they don't see the long term benefits , just the short term costs.
Re: (Score:2)
Asking most people (including me) to remeber a bunch of different strong passwords is a crappy idea. User-invented-convenience will trup security in ways that defeat security, every time.
Instead, use a scheme that's convenient for the user but doesn't require a strong password. For example, there are plenty of two-factor auth solutions (from vendors who haven't been pwnt yet). These days, using the user's mobile device itself as one factor -- storing a stong random key on it, and adding a user-select PIN
The problems with that ... (Score:3)
Which cost money to implement.
Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.
Again, which costs money.
Re: (Score:2)
Sure, making workable security takes (non-free) effort, no argument there. But if you ask for 16 character passwords, youll get them written down, self-sent by email, and so on. In practice, making it harder for the user does not increase security, because work-arounds increase proportionally.
Which requires that either the person volunteer his personal phone for that or that the company issue him a company phone that supports that.
OT, but does any company still pay for phones? I thought those were gone the way of the company car. Work phones virtualized on personal phones are my bet for the future.
So? (Score:2)
First off, I can easily remember my passwords. Even the ones that are more than 16 characters long.
Secondly, if you cannot, what's wrong with writing them down and keeping them in your wallet?
No. The point was that it will ALWAYS be easier for the user to ignore the security (if that is an opt
Re: (Score:2)
That's amazing. I've got the same combination on my luggage!
Re: (Score:2)
Space Balls :-)
Re: (Score:3)
This may be true, but DigiNotar wasn't the victim of some elite cyberhacker genius, the attacks used against them were relatively simple and, most importantly, preventable. Frankly, considering how they handled the situation and how much other forms of security rely on these certificates not being compromised, they deserve to go out of business. Let this be a lesson to all of the CA's out there - your security is of paramount importance.
Re: (Score:2)
Re: (Score:2)
Then why bother with CAs? Why not just use the law to handle these sorts of things?
911 operator: How may I assist you? /Me: I need to do some banking over the internet right away, and I don't trust the CAs to securely issue certificates. /Me: Can't I just use http:/// [http] and if a bad guy steals my account, you catch him, right?
911: Sir, all banks use certificates. Just type https:/// [https] and trust your bank.
911: Sir, there aren't enough police to catch every on-line bank hacker if nobody bothered to protect their communications. I also have real emergencies to deal with now, so you'll have
Re: (Score:2)
Do you leave your doors unlocked? Why not just leave your doors open and use the law to handle these sorts of things?
Simple: you put up rudimentary security to dissuade opportunists (the vast majority of low-level criminals, in my estimation), and even the more seasoned criminals who look for value for difficulty. If you have more security than value, you'll be skipped. If you have more value than security, you'll be targeted. Eventually.
By limiting police resources to only situations where value is mor
Re: (Score:2)
Businesses have a strong profit motive. The people who run businesses are greedy.
In the case of this security firm, (yes, they were a security firm because selling certificates is participating in the security business,) insecurity has proven to be the ultimate risk to not only profits, but to their investments as well.
I only hope that the employees of other security firms will email copies of news articles like these to their management and investors. "If you don't take security seriously and fund it appropriately, you will go bankrupt."
Re: (Score:2)
As with the case of the financial crisis, taking large risk is nothing that business is concerned about these days. Shareholders are only interested in short-term gains and micro-second investments and transactions. "Long term goals" has been removed from the dictionary. The SEC has long since had regulations in place to prevent excessive risk-taking... and once those regulations had been pulled back, increased risk taking occurred which led to the crash we all witnessed and have been feeling all this ti
Re: (Score:2)
That's overly cynical. Most of the day-to-day activity in stock trading is very short term (which only stands to reason), but most stock ownership is long term, controlled in mutual funds and pension plans by managers who do care about risk. You can see the results of this in the market: day-by-day everything moves by fashion, but year-by-year companies with long-term plans tend to do markedly better - it's just nearly lost in the noise of the day-to-day price changes.
Not really. (Score:2)
Not really. It does cost more than NO security but not much more. Example, how much does it cost you to have a decent password instead of Password1?
Yes and yes. But that isn't the core of the problem. Greedy people can have the best security. They don't want criminals to take their money.
In some case yo
Re: (Score:2)
Just as important, security is invisible. People who run businesses don't understand things they can't see, and certainly don't understand spending money on it.
Or, possibly, only understand spending money on it. We spent a lot of money on that TEMPEST protected room....doesn't that mean security is dealt with and we can stop worrying about it? It doesn't cost a lot of money to use a better password.
Bankrupt? (Score:4, Informative)
How do you go bankrupt before any charges have been laid, fines levied, etc.? Sounds like the parent company ditching them before they can be held liable.
Re: (Score:3)
Re:Bankrupt? (Score:4, Insightful)
Good point. On the one hand, they deserve to go bankrupt for failing at the one thing that justified their existence, but dumping the corpse before it can be properly examined smells iffy.
Note that you don't have to be charged with anything to go bankrupt, though. When all your customers leave, you suddenly have no revenue, but you still have your costs. And since it's obvious to everybody that DigiNotar will go bankrupt anyway, nobody loans them money, they quickly lack the money to pay salaries and other costs, and suddenly they're bankrupt.
Re: (Score:3)
Diginotar can be expected to have basically zero income, and a bunch of expenses, in the near future; but (from VASCO's 2010 annual report)
"In January 2011, we acquired all of the intellectual property of DigiNotar Holding B.V. and its subsidiaries and acquired 100% of the stock of DigiNotar B.V. and DigiNotar Notariaat B.V. (collectively, “DigiNotar”), each a priva
Re: (Score:2)
That's what limited liability means, I'm afraid. Though with the recent mess in mismanaged corporations, I'd say it sounds reasonable if the limitations to liability were to be reduced somewhat. In other words, people and corporations should be held accountable, and indeed pay, if they cause big problems like these.
Re: (Score:2)
Something I've never understood: exactly what benefit does the community gain from allowing limited-liability companies? If someone is free to establish a limited-liability corporation, and it goes broke owing lots of money to others, why should they be allowed to keep their own assets and, if they want, go on to start another such company?
I'm sure there must be a reason we allow this, but for the life of me I can't think of one.
Re: (Score:3)
In most countries (afaik but I'm not an accountant/lawyer with international experience) there are restrictions..
Especially the first months/year a company starts, the people who run it can be held personal liable.
So don't think of starting a company, getting loans from a bank, increasing debt by not paying your suppliers, and just declare yourself bankrupt after a few months and get away with it. If your business plan wasn't wel defined and you didn't raise enough initial (own) capital to survive 1 or 2 ye
Re: (Score:2)
Thank you. I figured there had to be a reason.
Interestingly, the "fortune" at the bottom of this page has:
> If you are smart enough to know that you're not smart enough to be an Engineer, then you're in Business.
Re: (Score:2)
Imagine that you are a small-time investor. You see that a company called Enron seems to be doing well, but as a small investor, you have no idea that there is anything fishy going on. S you buy a few shares of Enron. Suddenly Enron implodes, and you lost your investment. Now, the people that were owed money by Enron (employees, for example) sue you because there is no limited liability. Not only did you lose your inve
Re: (Score:3)
I can understand at least the logic(if not necessarily the wisdom) of limited-liability-corporations as a vehicle for tiny stockholders to not take on outsized risks through holding miniscule slices of a large venture over which they have little or no control
That isn't the reason behing limited-liability-corporations. They are vehicles to provide limited libility without regrd to who the shareholders are. Without checking or doing any reasearch I'm going out on a limb and claiming that there are more LLC that are 100% owned by 5 or less pepole than there are owned by more than 5. (Almost every IT person doing consulting jobs incorporates, as do most plumbers, electricians, etc who work for themselves, and so on).
There are costs with those benefits - the entity
Re: (Score:2)
There is a certain logic to limited liability ventures in situations where you need large numbers of (relatively) small investors with limited control over the venture in order to accomplish some end(and, back when establishing an LLC required
Re: (Score:2)
Such a usage persists because without it the risk of running a business would be far too large for most people. But yes the business that do run would go bankrupt less often - the price you pay for that is reducing GDP to 1/10th (completely made up) of what it is now. Most people won't take that trade.
And incorporating doesn't insulate you from losses it limits losses to what you have invested. If some third party is willing to loan a company too much money that's their problem - they knew the deal when the
Re: (Score:2)
"... The acquisition expands the technological breadth of our product line by expanding our abilities to offer PKI technology throughout the product line."
It'll be very interesting watching VASCO in the future, given this fiasco. Are heads at VASCO going to roll considering their abysmal research prior to acquiring DigiNotar? Did they even have any technical people ride along with DigiNotar's operations staff prior to signing on the dotted line? Will the board of directors keep their seats (and if so, why)?
Ya gotta love it when doofuses are shown to be such, live and in Technicolor, splashing their incompetence onto the headlines world-wide. Evolution in
Re:Bankrupt? (Score:4, Interesting)
You have commitments like rent, wages and other expenses and suddenly no more projected income. Even if you're not cash flow insolvent yet, you can in most countries file for bankruptcy the moment it is clear that you will be unable to meet those commitments. In fact, in many countries you must do it so that all debtors get their fair share of the assets rather than the quickest getting paid and the last left with nothing. It's not that usual but if you suddenly lose your core business like this company did then that can be instant bankruptcy.
Re: (Score:2)
A company doesn't have to have no money today to be insolvent. I don't know Holland, but here in the UK your company will be insolvent if it knows it can't pay its bills as they come due, even if they're not due today. Any company will have long term contracts - to pay salaries/redundancy, to pay suppliers, etc. IANAL, but IIRC once insolvent, you have a duty to act in the best interest of your creditors (and not your shareholders) and not to treat any preferentially (pay your friend but not your employees,
Re: (Score:2)
1. Cheap security, sell certs
2. Get hacked, face huge liability claims
3. Transfer all money to parent company
4. Close shop
5. Profit $$$
Conclusion: If an CA can declare "bankruptcy" so simple, without having enough money to face liability, the certs of such a CA are worth nothing. We shouldn't trust those CAs in the beginning. What about a mandatory liability insurance for CAs? The insurance will check that you operate securely, I bet ...
Alternatives? (Score:1)
Re: (Score:1)
What are you using certificates to secure?
If you are just shopping, why worry about it?
If you are securing communications that are important to a business or something, you can build your own certificate chain (meaning you can set it up so that hackers would need to break into a safe or whatever, not some internet connected computer), and so on.
Re: (Score:2)
As long as your business partner is also a company, this might fly. If you're selling to a lot of computer illiterates (like, say, banks trying to convince their customers to use the internet for banking so they can fire a few more clerks), trying to explain to them what constitutes a trustworthy certificate will probably mean higher expenses than keeping the clerks.
Re: (Score:3)
Convergence (Score:2)
Some say Convergence [youtube.com] is the answer [convergence.io]. I haven't been able to make it work, personally, so it's probably not ready for prime-time. Also, I don't like the name.
Re: (Score:2)
You can't use the same path to verify someones identity as you used to find out about the identity in the first place.
Say for example that you encounter a man that claims to be a police officer. To verify this you could ask about some kind of paper verifying the mans identity but if he is a criminal that poses as an officer it is very likely that the paper verifying his identity also is falsified.
A much better method would be to call the police station and ask them to verify that the police officer in question actually exists and is at your location.
If you want to verify that a website actually is what it claims to be you might need to call the ISP the website uses and ask them.
Using Skype, of course.
Re: (Score:2)
No, the cell I use to access their website. Duh!
Good. (Score:1)
Not that it repairs the fuckup, or that anyone else will learn from it, but at least the incompetent got what was coming to them, just this once.
Re: (Score:2)
Low-level incompetents(along with their competent; but low-level peers) tend to go down with the ship; but people with enough power to cause really systemic fuckups are often first to the lifeboats...
In Diginotar's case, the sheer scale of the fuckuppery sugg
Re: (Score:2)
There's a reason for this: These companies are shells. There's no need to make them secure, they're in the name of Canary M. Burns and if the shit hits the fan, the Canary gets to croak while the next shell is created.
Give it a week or two and we'll see a new company take over, that miraculously is somehow connected to the parent of DigiNotar.
Re: (Score:2)
What else do you expect? (Score:2)
With major browsers kicked its CA cert out of the trusted list, the CA by definition and practically could generate no profit...
What else do you expect, huh? Of course it could only get closed!
Re: (Score:1)
Re: (Score:2)
It's not like you could import trust for a dime a dozen from China.
If you pull the right strings, CNNIC will gladly cross-sign your root key. It will cost you more than 10/12 cents, though.
Re: (Score:2)
Only if they create a new root, most browsers completely blocked the CA even as a sub-CA.
Re: (Score:2)
also with their CA pulled - anyone with a cert from them (legit) could go after them to foot the bill for a cert on a competitor.. I bet that's the main reason for filing bankruptcy, so they don't have to pay customers back.
i do love how the "parent" company says losses will be high.. they are going to write off/avoid the brunt of the "losses" when they file bankruptcy for the sub company.
Re: (Score:2)
Close down yes. Bankrupt, not so fast. If they can't survive even weeks without income and have no choice to go bust leaving behind large debt (as is suggested in the article) their business was not financially sound at all. Which in turn may explain why they did not take the safety measures they should have taken.
Re: (Score:2)
Continuing without income means burning through cash which could otherwise be distributed to creditors. Unless that's somehow going to make things better for creditors that's unlikely to be allowed. If they either had some reasonable prospect of recovering their business, or had enough cash to pay all of their redundancy payments, all of the future payments on their long term contracts, etc. then they could have chosen to continue. If not, then it's quite possible (I don't know the local law) that they're r
Re: (Score:2)
teach 'em a lesson (Score:3, Informative)
Lesson learned: if you are a CA, under no circumstances should you allow any breaches to become public.
Re: (Score:3)
Quite the opposite: If you're a CA, don't even try to hush it up since it WILL get out and then any semblance of trust (which is your ONLY asset as a CA) is destroyed.
Look at Comodo for how to do it right. Yes, they fucked up too, and they will get some heat for that, but they're nowhere near being kicked out of the trusted CAs list of any browser.
If you notice a breach, you can actually react properly and easily fix it by NOT covering up but by coming forwards with it. The expense to recover from a breach
Re: (Score:2)
Or Verisign, who managed to lose Microsoft's Code Signing certificate. Didn't get in too much crap for that...
Re: (Score:1)
Exactly, Comodo stepped up, announced the problems the had, and kept folks informed of changes they made as a result of their breach. They are still in business, and may actually be seen as more trustworthy as a result.
Re: (Score:2)
I think you missed the parent's point (or joke) and I think he was being ironic. I believe he meant that all CA's will learn from this is that the company should never, ever reveal that they've had a data breach.
Of course he's joking. Any company that tried to keep secret that their certs server was hacked in any way, shape or form would be subject to extortion and other legal liabilities.
Re: (Score:2)
Yes I agree with you all, covering it up made things worse for DigiNotar, but that doesn't mean the execs in charge of some of the CA's won't take away the lesson of keeping mum.
Re: (Score:2)
That would be a pretty dumb thing to learn from this. I don't think very highly of managers, but that would even be stupid for the average BA degree holder.
Something like this WILL get out sooner or later. Either the hacker gloats or one of your techies will blab. You have exactly zero chance to hush something like this up in the long run. Sure, a manager could think in the usual quarter-report nearsightedness (did I mention that I consider them having the long term memory of gold fish?), but after THIS fal
Misplaced paranoia. (Score:5, Interesting)
My favourite part of the article:
We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
TEMPEST http://en.wikipedia.org/wiki/TEMPEST [wikipedia.org] is a method where you intercept EM radiation from a computer and use that to reconstruct some information about what that computer is doing. For example the US government could supposedly read CRT monitors from a fair distance away.
However, worrying about TEMPEST protection when you not only have those system connected to systems that are connected directly to the net, but use a single management username and password combo for your entire network is just insane. Even if the system wasn't connected to the Internet the freaking janitor could have placed a key-logger and had access to the entire system.
It is far cheaper to bribe one employee then spend millions setting up a modern TEMPEST system. I guess even the Dutch practice security theatre.
Re: (Score:2)
For example the US government could supposedly read CRT monitors from a fair distance away.
That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen, and Ross Andersen's book describes how less than $1000 of equipment is enough to pick up stray emissions from a VGA cable and reconstruct the image from a neighboring building.
Re: (Score:2)
I'd guess a simple and effective counter measure against that is to have say a hundred monitors present in the same room as the one you try to secure, and have them just showing a screen saver or so. Some that move, others that are mostly static, whatever. Good luck filtering the signal of one monitor out of that!
Re: (Score:3)
That is not very impressive, since the glow from a CRT is enough to reconstruct the image on the screen.
I do this every day using organically grown Eyeball technology, in fact.
Re: (Score:2)
I can only assume that having good authentication is hard, boring, and forces people to remember stuff, while getting to open the Big Serious Door and walk into your (probably sold by the vendor as "military grade") TEMPEST datacenter, with all the blinkenlights, involved no ongoing effort after the initial install and gave everyone involved
Re: (Score:2)
I think they were acquired only recently.
Re: (Score:2)
I thought a part of TEMPEST was that the machine could not be connected to a LAN except to other TEMPEST machines... ISTR that our tempest machines had removable drives that were stored separately in a safe and only inserted when the machine was booted. No LAN connection was allowed at all outside the room.
Re: (Score:2)
Want to bet that some ISO 27k auditor wanted the Tempest-proof environment and didn't care about the single user/pass access?
And here I wonder why security auditors have such a bad name...
Deserved, but the real problem stays (Score:3)
DigiNotar got what it deserved.
However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).
The whole CA system in broken. I would rather like to trust only CAs that have earned the trust. E.g. CAs that have been validated by my bank for online payments (but not for my email).
Re: (Score:3)
However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).
That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.
Re: (Score:2)
However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).
That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.
Well, it can only happen to CAs, which do not know security (and since we have hundreds of them in our browsers, it is very likely that there are others that are as bad as DigiNotar). However, reducing the number of CAs is not a solution, as this will just elevate the risk for a each security breach at a CA. The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for on
Re: (Score:3)
The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).
You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all. And of course the victim of a hack will not be in contac
Re: (Score:2)
The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).
You got the problem completely wrong. Let's say my bank is highly knowledgable, they figured out that there are 10 CAs they can trust one hundred percent and the others are a bit dodgy, and they use one of the 10 CAs that are hundred percent trustworthy. The problem is that any of the dodgy CAs can create a certificate for the bank's website that will be trusted by your browser until it is found out and revoked, without the bank being involved at all.
No, the idea is that you only trust the CAs that have been trusted by the bank and not the dodgy CAs (so no more default lists of hundreds of 'trustworthy" CAs). Did I explain it that badly that this was not obvious?
Re: (Score:2)
At the same time we have too many trusted CAs I've heard others claim.
Hogwash
Big CAs can use multiple intermediate keys to spread the risk. Browser and OS vendors are the first link in the chain of trust, they have more than enough sway to demand levels of risk acceptable to them. You are the next link, complain to your browser / OS vendor and raise a stink. They'll demand stronger audits or contracts. Money talks folks.
There's nothing wrong with a chain of trust, or you wouldn't be trusting anything el
Re: (Score:2)
For example, CAs would need a higher reputation than that of sites and services.
This model won't work with the existing CA business model, however.
Idiots (Score:4, Interesting)
We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
It is at once hilarious and depressing that there are tech and security managers who take steps to shield equipment from electromagnetic detection and then leave that equipment open to remote access. Wrap your computer in tinfoil and then stick your password on the screen.
Filing for bankruptcy or gone bankrupt (Score:2)
would be 'significant.'
I think they are filing for bankruptcy while they still have money in their pockets to avoid law suites as opposed to gone bankrupt. I believe "gone bankrupt" means they are broke and giving up.
Hate to say it (Score:2)
I have said so many times that we are not strict enough on punishment for the cyber crimes that affect companies, this should prove as a perfect example why certain individuals that bring down a company due to their hacking ventures, should face proper penalties.
Monopoly €1000 certs, that's a not a biz mode (Score:3)
can fix. Also amazing how complex CA authority has become. The concept is fairly simple, but the niceties of the trust bits have become so arcane that Mozilla is having to fix erroneous understandings of the bits in their own code, without breaking legacy. Then the people working on security code have highly resistant personalities and so all kinds of nonsense gets frozen in for years.They sort of have to be that way, to keep their code gov't certified... what a mess. Crowd-sourced verification of self-signed certs is starting to sound better & better.
The practical results of the way the code works at least at Mozilla were mystified complaints about the fake revoked Digninotar certs put in Mozilla to block real fake certs! That is not a model for the future. They are working on it, but it's glacial.
Re: (Score:2)
Monopoly €1000 certs, that's a not a biz model you can fix. Someday I will understand Slashdot editing.
Google pointed out the REAL reaason for the attack (Score:2)
which was carried out by the hacker-soldiers of the government of Iran for the purposes of identifying the 300,000 Iranians that radical fundamentalist Theocracy wants to muzzle. In other words, state sponsored terrorism.
Re:Comodo (Score:5, Informative)
Mostly because they caught the intrusion (which was at a 3rd party rather than directly part of Comodo) and reported it immediately as well as putting in place measures to try and prevent it from happening again.
DigiNotar didn't notice that they'd been hacked for months and didn't tell anyone for months more and even then they didn't know how badly they'd been hacked or exactly which certs may have been issued to whom.
Re: (Score:1)
this. all the issue is not in the breach. that kind of stuff happens.
what should never ever happen is a certification authority, whom live on trust, try to cover the shit up.
Re:Comodo (Score:5, Informative)
That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.
The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.
At least that was my understanding of what happened, based on information I read several months ago.
Re: (Score:2)
Re: (Score:2)
Having done business in NL for 30 years myself I bet that DigiNotar management has already incorporated a new company which will be selling the same/similar products to the very same Dutch government that allowed kept DigiNotar alive.
As this cartoon [foksuk.nl] has already pointed out ("Don't worry folks, we'll be back in three months under a new name").
Re: (Score:2)
Then who can you trust?
on the internet? ... nobody.
Re: (Score:2)
Then it ain't time for government bailout but for government finally issuing some 'hang-em-at-their-balls" laws for CEOs that try to hush up security breaches. The current ones are a weak joke, the fines aren't even remotely anywhere near the damage if it gets leaked somehow. And last time I checked, the fines should be a multiple of the damage of the leakage, or the formula "benefit vs. risk*fine" falls flat on its face and hushing up is the sensible thing to do.
Re: (Score:2)
Any CA trying to cover up a breach will go down the same path as Diginotar.
What makes you so certain that a CA who publicly acknowledged a breach would not also immediately die in a meltdown? There is no evidence that honestly in a similar situation would save a CA.
If Digital Signature Trust Co.* were to publicly announce "We discovered just this morning that we have been breached, and while we can't give complete details because of the ongoing investigation, we found the hackers forged Google certificates," the public reaction would be almost identical to that of DigiNotar. If
Re: (Score:2)
No, it would not. Look at the Comodo breach in March.
Re: (Score:2)
I would disagree. Comodo is safe as long as everyone and their dog resells their products. Even more so since these people don't disclose whose SSL they are reselling.
Re: (Score:2)
"The first one anyone can do in two minutes, including the time to download GPG."
Well, probably not you. Because GPG is not used for generating certificates.
Re: (Score:2)
I think it's quite legitimate to say you can generate a random private/public key pair with GPG. That's kind of the point of it.
Re: (Score:2)
Try IT security. You'd be amazed what kind of prestidigitators peddle in my profession. They come in, pull off a "demonstration" with a lot of smokes and mirrors and wow people into buying their crap. I've come to a lot of companies who showed me their latest and greatest security systems with unhidden pride, only to throw a tantrum when they get to see it shatter.
It's really disheartening. Anyone who has ever managed to get nmap to produce some output other than the help page considers himself a security p
Re: (Score:2)
IT is almost always the most underfunded department in a company. It is also the department whose requests are most frequently and easily overridden by either executive mandates or other departments. Since in most cases IT's efforts are not directly what the company produces ("we sell toasters and vitamin pills, not authentication mechanisms!"), IT spending is seen as a necessary evil, and IT intervention in company processes is met with resentment. Note: IT people saying "you're too stupid to understand wh