[cryptography] OT: Dutch Government: Websites' Safety Not Guaranteed

Marsh Ray marsh at extendedsubset.com
Sat Sep 3 19:48:38 EDT 2011


On 09/03/2011 06:13 PM, Jeffrey Walton wrote:
> http://abcnews.go.com/Technology/wireStory?id=14441405
>
> The Dutch government said Saturday it cannot guarantee the security
> of its own websites, days after the private company it uses to
> authenticate them admitted it was hacked. An official also said the
> government was taking over the company's operations.
>
> The announcement affects millions of people who use the Netherlands'
> government's online services and rely on the authenticator,
> DigiNotar, to confirm they are visiting the correct sites. To date,
> however there have been no reports of anyone's identity being stolen
>  or security otherwise breached.

Sadly, this is completely wrong and misses the point entirely.

NO ONE can guarantee the security of ANY websites and gov.nl is no more
affected in this respect than anyone else under the current system.

However, on the website authentication system we'll get the next time we
update our client software, gov.nl and the other ~500 websites with
certs from DigiNotar will have to update a file or two on their servers.
I also hear of some government PKI system that will probably need to be
rekeyed from scratch.

Honestly, I don't feel too bad for them for their nepotistic
relationship with the hometown CA. Of all the CAs in the
world to get pwned to teach us a lesson the server admins (collectively)
could have gotten it a lot worse than this one.

My concern is for the users who are actively getting MitM'd with this
thing. This isn't just about the convenience and economic importance of
the Dutch paying their taxes online Monday. There are folks in the world
relying on this technology to (literally) keep their ass out of the
torture chamber.

- Marsh



More information about the cryptography mailing list