|Welcome Guest! Login|
Time-line for the DigiNotar hack
Networking4all collected all the news they could find about the DigiNotar hack that happened over the past few months. In this time-line, we created an overview of the most important events. If you come across a mistake or have an addition for this time-line, we would love to hear about it. We will update this page daily.
The Dutch company DigiNotar issued hundreds of falsified certificates since the beginning of July. DigiNotar only noticed this hack weeks after the fact and revoked a number of false certificates, but did not notify anyone. Since the 4th of August, hundreds of thousands of Iranian computers were fooled into thinking they were connecting to Google. The security of certificates for the Dutch government could also no longer be guaranteed. An investigation into the matter revealed that DigiNotar's own security was severely lacking.
DigiNotar, established in 1997, was recently (10th of January 2011) taken over by the American security company VASCO. DigiNotar issues security certificates, mostly to government agencies.
6th of June, 2011
Possible first attempts to gain access to the Dutch Certificate Authority DigiNotar (source: Fox-IT report).
17th of June, 2011
Several of DigiNotar's servers are hacked (source: Fox-IT report).
19th of June, 2011
A hack into Diginotar's computer system is detected (source: Fox-IT report).
10th of July, 2011
The first false SSL Certificate is created (source: Fox-IT report).
19th of July, 2011
DigiNotar issues the certificate for *.google.com which will later be used for a man-in-the-middle attack in Iran (source: Fox-IT report).
22th of July, 2011
DigiNotar starts an investigation into the hack
More than a month after the hack, DigiNotar orders an external company to start an inquiry into the attack. The decision is made to hush up the attack and the crime is not reported (source: Fox-IT report).
27/28th of July, 2011
The fraudulent SSL Certificate for *.google.com is used for a man-in-the-middle attack in Iran (source: Fox-IT report).
4th of August, 2011
From this moment, the fraudulent SSL Certificate for *.google.com is used in a large-scale man-in-the-middle attack in Iran. This will be proven in the research report from Fox-IT (source: Fox-IT report).
27th of August, 2011
The falsified certificate on gmail.com is discovered by an Iranian
After a month, an internet user from Iran discovers that gmail.com is operating under a false certificate. The discovery is made thanks to a security warning from his Google Chrome browser. This person makes note of this on a Google forum. The SSL certificate was created on the 10th of July, 2011.
29th of August, 2011
Hack detected on Mozilla
The hack is discovered on the Mozilla forum. Paul van Brouwershaven and Adam Langley notify DigiNotar. At first, the forum thread is closed for public view.
Govcert.nl, the organisation that provides support in computer safety for government agencies in The Netherlands, is notified of the situation by its German counterpart, CERT-BUND. Govcert notifies DigiNotar.
DigiNotar admits the attack on their systems
After the creation of the false SSL Certificate becomes known to the public, DigiNotar cancels the SSL Certificate for *.google.com. DigiNotar admits the attack on their systems. By ways of, among other measures, an audit performed by an external party, they cancel all the discovered fraudulent SSL Certificates. Unfortunately, the SSL Certificate for *.google.com “slipped through”. DigiNotar issues both SSL Certificates and SSL certificates for PKIoverheid (PKIgovernment). The statement is issued that the PKIoverheid certificates were never in any danger because they are completely separate. Parent company VASCO states that the situation is of little impact on their company. Not a word is spoken about the possible effects of the creation of the false SSL Certificate.
30th of August, 2011
Gmail users monitored
Word gets out that Gmail users have been monitored by the Iranian government through the use of the false SSL Certificate that was issued by DigiNotar. Another investigation into DigiNotar is started by the security company Fox-IT. DigiNotar issues a press release about the security breach.
DigiNotar has been hacked before
Evidence is found that the DigiNotar portal has been hacked in the past. The oldest still visible hack dates back to 2009. However, there is no evidence that these previous hacks are connected to the recent hack.
Companies remove CA from their browsers
Microsoft, Mozilla and Chrome all declare that they will remove DigiNotar from their browsers. DigiNotar issues many SSL Certificates to government agencies, among which the SSL Certificate for DigiD.nl. In the latest test version of Firefox, the SSL Certificate for DigiD was already no longer operative. Both DigiNotar as the PKIoverheid certificate issued by DigiNotar were no longer considered safe.
Logius indicates that PKIoverheid certificates are considered safe
Government agency Logius, a subdivision of the Home Department, indicates that the PKIoverheid certificates issued by DigiNotar are still considered safe. There is no reason to assume that fraudulent PKIoverheid certificates having been issued by DigiNotar, including the certificate for DigiD. This process is completely separate from the creation of the normal SSL Certificates by DigiNotar. The removal of DigiNotar from Firefox and Internet Explorer would have no consequences for the PKIoverheid certificates that were issued by the company under the Staat der Nederlanden Root CA (Dutch Government Root CA). Logius declares that these certificates are still considered safe.
31st of August, 2011
Google launches the new version of Chrome (13.0.782.218) in which the Dutch Certificate Authority DigiNotar was removed from the browser. This appears to not have any consequences for DigiD. The Dutch government managed to talk the browser companies into only removing the CA DigiNotar and not the PKIoverheid certificates issued by DigiNotar. This happened while there was still no certainty whether the hacker(s) had access to the creation of PKIoverheid certificates.
Already 247 fraudulent SSL Certificates issued
In an analysis made by the latest version of Chrome the total number of discovered fraudulent SSL Certificates is 247. This contradicts earlier statements by DigiNotar, who claimed that only 'dozens' of fraudulent SSL Certificates were issued.
The security company Fox-IT will publish the results of their investigation as soon as possible.
1st of September, 2011
Advice: completely ban DigiNotar
Dutch senior virus researcher Roel Schouwenberg of the Russian anti-virus company Kaspersky Lab indicates that the Dutch government should follow the lead of Microsoft, Mozilla and Google by completely banning DigiNotar from the PKI-chain. Security experts have been calling the situation 'worrisome' all week.
Multiple large sites targeted
It is claimed that besides Google, other large websites were targeted, among which yahoo.com, mozilla.org, wordpress.org, torproject.org, and the Iranian blogging platform Baladin, as well as addons.mozilla.org and Windows update. It is also officially confirmed that the Tor Project was targeted. The Tor Project disagrees with the agreement made between Mozilla and the Dutch government.
Logius sends email asking for inventory government agencies
The government agency Logius sends an email to government agencies requesting an inventory of the consequences should all PKIoverheid certificates issued by DigiNotar be revoked. According to the email, there is no indication that the PKIoverheid certificates from DigiNotar were targeted. However, an inventory was already being made as to the consequences if all DigiNotar PKIoverheid certificates were to be considered unsafe.
2nd of September, 2011
PKIoverheid certificates issued by DigiNotar completely revoked after all
There is talk of preparations of an update by the browser companies to revoke the DigiNotar PKIoverheid CA, depending on the investigation that is currently being held. This will affect many Dutch government websites and services.
The government begins to recognise the gravity of the situation and an item on the subject is shown on the NOS News.
The right-wing political party PVV issues several official demands to the Secretaries of State for Defence, Foreign Affairs, Home Department and Justice about the 'blunder at DigiNotar'.
Liable for negligence
It is investigated whether DigiNotar can be held liable for negligence.
3rd of September, 2011
DigiNotar loses vote of confident from government
Minister Donner states that the security of hundreds of government websites cannot be guaranteed and that the government has lost confidence in DigiNotar. Political party PVV wishes to know what the consequences will be for DigiD and other electronical services.
Investigation Fox-IT, security is severely lacking
The investigation by Fox-IT shows that DigiNotar dropped the ball on several occasions and that its own security was severely lacking. The claim made by DigiNotar that there are two separate systems for the creation of their own SSL certificates and the PKIoverheid certificates proved to be false. These were connected to the same network. This means that the possibility that PKIoverheid certificates were compromised cannot be excluded. A solution is found in the immediate replacement of all DigiNotar certificates to other PKI certificates.
New version Mozilla Firefox
Mozilla will also remove the PKIoverheid certificates issued by DigiNotar from Firefox, which will cause problems when using a large number of government websites, DigiD.nl included. Mozilla states to not trust DigiNotar to be able to confine the problem.
New version Google Chrome
Google also published the latest version of Chrome (13.0.782.220), which also marks the PKIoverheid SSL Certificates issued by DigiNotar as unsafe.
Consequences of internet monitoring of 300.000 Iranians
The NOS stated earlier that the attack was done by Iranian hackers. Further investigation shows that the falsified certificates could have serious consequences for 300.000 people in Iran, because their internet was monitored.
4th of September, 2011
Microsoft also decides to exclude the DigiNotar PKIoverheid SSL Certificates from their browser as a safe CA.
VNO-NCW appeals to 'not trust DigiNotar'
VNO-NCW, Hollands largest business organisation, warns all businesses to replace their DigiNotar security certificates with certificates from other authorities. Govcert, the Dutch government's Cyber Security and Incident Response Team, approves of this advice.
Government warns for tax declarations
The government warns people to not use the digital forms for tax declarations when their browser gives a warning. With this, the government neglects the fact that an SSL Certificate warning in the browser does not guarantee anything since the hackers want their certificate to appear legitimate. Only a browser update will give guarantees.
Connection to previous attacks on other CAs
Messages left behind by the hackers indicate a connection between the attack on the Comodo resellers earlier this year and the attack on DigiNotar.
5th of September, 2011
Microsoft: "Windows Update is safe"
Windows states that the certificates issued by DigiNotar for *.microsoft.com and *.windowsupdate.com do not form any danger to the safety of Windows users.
VASCO denounces DigiNotar
In a statement issued to its investors, VASCO formally terminates its bonds with DigiNotar.
Mozilla gives advice to Iranians: "update passwords"
Mozilla gives the advice to Iranians to not only update their browsers, but to also update their passwords.
Letter to House of Representatives
In a letter, the Secretary of State for the Home Department informs the House of Representatives of the digital attack on DigiNotar and the report on the situation by Fox-IT.
6th of September, 2011
21-year old student claims hacks
A 21-year old student who previously hacked SSL-producer Comodo, claims to also be behind the attack on the Dutch company DigiNotar. On the website pastebin.com he claims responsibility for both the hacks on DigiNotar and Comodo, as well as the attack on Startcom. The hacker, who operates under the name Comodohacker, claims in his plea that he still has access to four other major Certificate Authorities. This would allow the Iranian hacker, according to him, to still be able to generate false certificates.
Windows update postponed
By request of the Dutch government, Microsoft has postponed the publication of the update that would completely remove DigiNotar from Internet Explorer with one week, and only in The Netherlands. This update will be published worldwide. This will allow the government more time to replace all their SSL Certificates. The update can be run manually through this link.
7th of September, 2011
Other CAs hacked as well?
The Iranian hacker that claimed to have hacked both Comodo and DigiNotar, says to have operated alone. He also states that he has access to the Certificate Authority GlobalSign. GlobalSign takes this threat very seriously and has started an investigation into the matter. The company also decides to temporarily stop issuing SSL Certificates. Later this day, it decided to cooperate with Fox-IT, because they have experience regarding the DigiNotar-hack.
The OPTA, a government agency charged with enforcing Dutch law on telecommunication, investigates if DigiNotar's way of dealing with the fraudulent certificates was correct.
8th of September, 2011
Adobe still accepts DigiNotar SSL Certificates
The website webwereld.nl states that Adobe is investigating the DigiNotar hack that allowed false certificates to be issued. The company chose, contrary to Microsoft, Mozilla and Google, not to ban DigiNotar because it has not yet seen any proof that the fraudulent certificates have been used in combination with Adobe products.
Possible issues for local authorities when installing Microsoft patch
Local authorities may have some issues with their DigiNotar certificates when trying to install the Microsoft patch that will be published on Tuesday, the 13th of September. It is possible that some processes within local authorities, and those with affiliated partners, will not be able to be processed automatically.
9th of September, 2011
Google warns Iranian victims
Iranian internet users who have been tapped by DigiNotar obtained SSL Certificates are personally warned by Google. When Iranians for example log in on Gmail, they will get the request to change their password.
DigiNotar finally removed from Adobe
After Adobe did not take any measures yesterday, it does today. From today, Adobe will remove DigiNotar's SSL Certificates from its own products.
Apple has no DigiNotar patch so far
Apple is the only company that still has no patch for OS X, iOS or Safari to block DigiNotar certificates. Microsoft, Mozilla, Chrome and Opera have already developed a patch.
11th of September, 2011
Mobile phones still vulnerable
Users of mobile devices like smartphones and tablets have to be careful to use websites that are secured with SSL Certificates of DigiNotar. Patches need to be developed to secure these devices from DigiNotar certificates. Until then, the DigiNotar certificates will be supported.
12th of September, 2011
Blackout threat to Dutch government
A major part of the public services in the Netherlands have almost been down through a blackout, according to research by the NRC Handelsblad. "The Tax Administration would not be able to receive money, unemployment and family benefits were not paid."
13th of September, 2011
At the end of the day Microsoft releases an update in the Netherlands. The update will block all DigiNotar certificates. Websites that still have DigiNotar certificates will show a warning after this afternoon.
14th of September, 2011
Hundreds of government websites are still using DigiNotar certificates
A few weeks after the publication of the hack, still over 300 government websites are using DigiNotar certificates.
OPTA states DigiNotar certificates as unreliable
Regulator OPTA declare in a statement that it does not trust the DigiNotar certificates any longer and that the CA has to make its customers aware of this. The Ministry of the Interior and Kingdom Relations has inherited the operational management of the certification systems from DigiNotar.
19th of September, 2011
DigiNotar switch to Comodo certificates
Since the certificates of DigiNotar not will be issued any longer, DigiNotar has decided to switch to Comodo. Odd choice, since Comodo certificates have already been hacked earlier this year.
20th of September, 2011
Wrong update Microsoft
Microsoft has made a mistake with the update for Windows systems. It has to re-issue the DigiNotar update. The last week released update did not contain the certificates that are actually used for eavesdropping in Iran.
The court in Haarlem has declared DigiNotar bankrupt. There is a curator appointed to handle everything.