Compromised digital certificates were issued for the CIA, MI6 and Mossad intelligence agencies, as well as a host of social networks and websites via the Dutch certificate authority DigiNotar, reports Mathew J. Schwartz at InformationWeek. The auditors investigating the phony certificates said in a preliminary report that the breach was worse than initially revealed.

It is possible that attackers could have used compromised certificates to listen in on websites for weeks undetected.

False certificates from DigiNotar ended up at Facebook, Google, Twitter, Skype and Microsoft, in addition to the intelligence agencies. So far, 531 fraudulent certificates have been discovered.

The hacker responsible for attacks earlier this year against the certificate authority Comodo took credit for the DigiNotar hack in a blog post this week, claiming that he obtained a "full remote desktop connection" to the network. According to Trend Micro researcher Feike Hacquebord, both attacks against certificate authorities were conducted to spy on Iranian Internet users. The auditors investigating the DigiNotar breach, Fox-IT, came to the same preliminary conclusion.

InformationWeek's Schwartz takes an in-depth look at whether digital certificates can still be trusted in light of the DigiNotar breach. According to the preliminary report by Fox-IT, DigiNotar had unpatched software, no centralized logging, and other poor information security practices, and the certificate authority now "appears to be doomed," he writes. 

Mozilla has said that going forward it will block every DigiNotar certificate. "In DigiNotar's case," the company wrote on its blog, "we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches."

For more:
- see Mathew J. Schwartz's article at InformationWeek

Related Articles:
Mac OS X bug leaves Safari users susceptible to fake DigiNotar certificates
Free Firefox add-on helps boost security