The theft of SSL certificates from Dutch certificate authority DigiNotar so undermined trust in the company that it has gone bankrupt.
Responsible for taking down the company is a single attacker, believed to be in Iran, who stole more than 500 certificates used to authenticate sites that make secure connections via SSL. DigiNotar was the primary certificate authority used by the Dutch government.
DigiNotar filed for bankruptcy yesterday and a Dutch court approved the filing today. Trustees were appointed to liquidate its assets, according to a statement by DigiNotar's parent company, Vasco.
The industry has been running from DigiNotar since the breach was made public August 29, more than two months after the company discovered an attack. Microsoft has blacklisted all DigiNotar digital certificates, deeming them untrusted. Google and Mozilla had already blacklisted the company's certificates, and the TOR project has recommended rejecting all DigiNotar certificates.
The parent company Vasco can be added to the list of firms distancing themselves from DigiNotar. "We would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO's core authentication technology," says T. Kendall Hunt, Vasco's chairman and CEO. "The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO's strong authentication business."
The sentiment was backed up by company COO Jan Valcke. "We want to emphasise that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve VASCO's core two-factor authentication business," he says. "While we do not plan to re-enter the certificate authority business in the near future, we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform. As a result, we expect to be able to offer a stronger authentication product line in the coming year to our traditional customers."
The attacker cracked into DigiNotar's network and issued false certificates that could be used to verify the authenticity of phony sites that appeared to be run by the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service.
In addition to delaying public notification of the breaches and acknowledging some of the stolen certificates, DigiNotar followed up by announcing it had overlooking hundreds of other stolen certificates.
Meanwhile, Vasco still has no idea how much financial damage the hacker wrought on DigiNotar. "We are working to quantify the damages caused by the hacker's intrusion into DigiNotar's system and will provide an estimate of the range of losses as soon as possible," said Cliff Bown, Vasco's executive vice president and CFO.