Hackers may have stolen more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project.
The count is considerably higher than DigiNotar has acknowledged. Earlier this week they announced that "several dozen" certificates had been acquired by the attackers.
"About 200 certificates were generated by the attackers," said Hans Van de Looy, principal security consultant and founder of Madison Gurka, a Dutch security company, citing a source he said wished to remain confidential.
Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, Van de Looy's source revealed, were ones valid for mozilla.com, yahoo.com and torproject.org.
Tor is a system that lets people connect to the web anonymously, and is often used in countries where governments monitor their citizens' online activities.
Looy's number is similar to the tally of certificates that Google has blacklisted in Chrome.
An entry in the Chromium bug-tracking database lists 247 certificates that the project blacklisted. Chromium is the open-source project that feeds code to the Chrome browser and Chrome OS.
DigiNotar draw serious criticism
"Were these all issued by DigiNotar? It is difficult to tell," said Chet Wisniewski, a security researcher with UK-based Sophos, in a blog post on August 30. "However, considering only 10 were blocked previously, this is a strong indication that these additional blacklisted certificates were most likely part of this incident."
DigiNotar, a Dutch firm that was acquired by US-based Vasco earlier this year, discovered the network breach on July 19, and has confirmed intruders issued themselves valid certificates for a number of domains.
The company claimed that it had revoked all the fraudulent certificates, but then realised it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public with its mea culpa only after users reported their findings to Google last week.
Security researchers now wonder what else DigiNotar hasn't told users.
"They say they found all but the certificate for google.com," said Wisniewski. "But what other sites were we at risk from visiting earlier? Were those other certificates for Microsoft or Yahoo or PayPal? How come they're not saying?"
Wisniewski was concerned because of the timeline that DigiNotar laid out.
Why was attack not discovered sooner
DigiNotar essentially admitted that it was unaware of the hack for over a week; the Google certificate was issued on July 10, according to information posted to Pastebin.com, nine days before DigiNotar said it became aware of the attack.
"For nine days they didn't know about it," said Wisniewski. "Then how long did it take them to revoke those they knew about?"
Wisniewski said that DigiNotar had revoked multiple certificates on July 19, July 26 and August 16, all dates that were prior to the Dutch firm acknowledging the attack.
"We should be very concerned about this. When this kind of thing happens, the sweeping under the rug is almost an abuse of the entire system of trust," said Wisniewski, referring to the SSL (secure socket layer) certificate model.
Roel Schouwenberg, a senior malware researcher at Moscow-based Kaspersky Lab, also took DigiNotar to the woodshed.
"According to DigiNotar, they're not able to track which rogue certificates were generated," said Schouwenberg in a blog post. "So more of these rogue certificates may be out there. How is this possible? Either DigiNotar performs no logging of the certificates they create or their logs got cleaned out during the attack."
Like Wisniewski, Schouwenberg also criticised DigiNotar's response. "It seems that DigiNotar has not realised certificate authorities need to sell trust above anything else," he said.
Schouwenberg repeated his earlier assertion that the DigiNotar hack was most likely the work of a government, either directly or through proxies it hired or supported.
Google point finger at Iran
"Assuming these domains [Mozilla's, Yahoo's and the Tor Project's] were indeed targeted, the most plausible explanation is that a specific government is behind this attack," he argued.
In that scenario, a government - perhaps Iran's - would use the bogus certificates to deceive users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.
On Monday, Google pointed a finger at Iran, saying that attacks using the ill-gotten google.com certificate had primarily targeted Iranian users.
Some browser makers have reacted quickly to block the use of all DigiNotar certificates.
Late on Tuesday, Mozilla shipped updates for Firefox 6 and Firefox 3.6 that added DigiNotar's root certificate to those browsers' blacklists. Google has updated Chrome 13 and Chrome 14 - the latter currently in beta testing - to do the same.
Microsoft swift to act
Meanwhile, Microsoft has nuked all DigiNotar certificates by adding the Dutch company's root to its list of banned certificates in Windows Vista, Windows 7, Server 2008 and Server 2008 R2.
Users running Windows XP or Server 2003, however, remain at risk; Microsoft said it would address those editions with a "future update" but did not set a timetable.
"There is a whole list of fail here," said Wisniewski about the hack and DigiNotar's response. "A certificate authority's obligation is to step up and disclose problems like this, or trust just goes out the window."
Van de Looy hoped that DigiNotar would eventually come clean.
"Currently, investigators of the renowned company Fox-IT are investigating the servers of DigiNotar and their report will hopefully reveal additional information on the how, when and what of this significant event," said Van de Looy.
DigiNotar has retained Fox-IT , a Dutch digital forensics firm, to audit its systems and investigate the July hack.