[cryptography] An appropriate image from Diginotar

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Sep 2 11:02:42 EDT 2011


Ralph Holz <holz at net.in.tum.de> writes:

>I have some values from our own scans - scans conducted against hosts on the
>Alexa Top 1M list.

Given that that particular Diginotar CA had only issued around 700 certs in
total, that means a significant fraction (at least a quarter, depending on how
many undiscovered certs are still out there) of all its certs are fraudulent.
Must have been someone with the knowledge of a million hackers this time
round.

Another point is that minting 200-250 certs isn't something you can do with a
mouse click, you need to prepare all the cert requests with site-specific data
customised to each site, and that takes time.  They must have had the run of
the CA for quite some time to get all that done.

(In terms of the data that they provided, both ComodoGate and DiginotarGate
have been quite valuable, ComodoGate for showing that browser vendors are
willing to collude with CAs to cover up breaches, and DiginotarGate for
showing that CAs are willing to hush up breaches more or less indefinitely
until forced to disclose by external events outside their control.  The only
downside is that we really need to require CAs to choose names that work
better with the -gate suffix.  Something like EntrustGate I can deal with, but
there's no way I'm trying EBGElektronikSertifikaHizmetSaglayicisiGate in a
message).

Peter.



More information about the cryptography mailing list