Diginotar Responds To Rogue Certificate Problem 177
An anonymous reader writes "Vasco, the owner of the DigiNotar CA implicated in the MITM attacks on Iranian Google users has responded to their fraudulently issued certificate problems. The press release reads: 'On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate'. It is not clear whether the latter certificate is the one used in Iran, or whether other certificates remain at large. I guess removing the root certificate from browsers is the correct response."
In Firefox 6 (Score:5, Informative)
1) Options -> Advanced -> Encryption -> View Certificates
2) In the Certificate Manager window, click the Authorities tab.
3) Scroll down to DigiNotar.
4) Delete or Distrust the "DigiNotar Root CA" certificate.
Re:In Firefox 6 (Score:4, Informative)
In short, Comodo has issued fraudulant certificates for Google Mail, Yahoo, and a couple other high traffic sites. Gameboy is correct - nuke both of these CAs immediately.
Re:Already done (Score:2, Informative)
check their site, they sign their own certificate ::
https://www.diginotar.com/Products/ExtendedValidationSSL/tabid/622/Default.aspx
Too late (Score:5, Informative)
In MacOSX (Score:5, Informative)
open /Applications/Utilities/Keychain Access.app
Click on System Roots
Scroll down to DigiNotar Root CA
Click the "i" icon, or select "Get Info CMD-I"
Expand the "Trust" node
For the "When using this certificate"
Select the "Never Trust" option
If successful, the info window will now say "This certificate is marked as not trusted for all users"--- and you can browse this site [diginotar.nl] to ensure that the trust is broken.