Timeline of DigiNotar SSL Hack. | Chronological Order of DigiNotar SSL-CA Hack

Timeline of DigiNotar SSL Hack.

More information can be found about this hack @ -http://www.gerbrand-ict.nl/2011/09/diginotar/

 chronological order ?

  • Dating back as far as May 2009, the portal of DigiNotar has been defaced, these hacks remained in place till this week after f-secure exposed them in their blog.
    Source: f-secure blog
  • On July 10th 2011, 283 rogue certificates were signed
    Source: spreadsheet released by torproject, and claimed to come from the Dutch government
    This included one certificate that was issued with a CN of *.google.com by DigiNotar this is so far the only certificate we have seen.
    Source: pasted certificate
  • On July 18th 2011, another 124 rogue certificates were signed
    Source: spreadsheet released by torproject, and claimed to come from the Dutch government
  • On July 19th 2011, 128 rogue certificates were revoked
    Source: spreadsheet released by torproject, and claimed to come from the Dutch government
  • On July 20th 2011, another 124 rogue certificates were signed
    Source: spreadsheet released by torproject, and claimed to come from the Dutch government
  • On July 20th 2011, 130 rogue certificates were revoked
    Source: spreadsheet released by torproject, and claimed to come from the Dutch government
  • On July 27th 2011, 75 rogue certificates were revoked
    Source: spreadsheet released by torproject, and claimed to come from the Dutch government
  • On an unknown date, an unknown external auditor did not catch the fraudulent certificate for *.google.com. as well as any others that might be missed as well. Not did they catch the defaced pages.
    The specialized press in the Netherlands seems to conclude the auditor was PwC, but there is not much solid proof of that to be found so far.
    PwC was DigiNotar’s certifying auditor for a lot of their PKI activities as can be seen in the DigiNotar certification list.
  • On Aug 28th 2011, (some sources claim 27th) a user from Iran posted on a forum using Chrome was warned by his browser the certificate was not to be trusted.
    Source: Forum post
    Chrome does additional protections for gmail since chromium 13.
  • On Aug 29th 2011, the *.google.com certificate was revoked by DigiNotar
    This can be seen in the CRL at http://service.diginotar.nl/crl/public2025/latestCRL.crl [do not click on this URL, most browsers “understand” CRLs], see further.
  • On Aug 29th 2011, the response from Google and the other browser makers came: Basically the “sh*t hit the fan” as the browser vendors are pulling the plug on DigiNotar and not trusting their processes anymore.
  • Google
  • Microsoft blog and advisory
  • Firefox
  • On Aug 30th 2011, issue 7791032 in chromium was created. it blacklisted 247 Serial Numbers from certificates issued by DigiNotar and 2 more intermediate DigiNotar certificates. The Serial numbers are available in the patch.
  • On Aug 30th 2011, Vasco issued a press release reporting the incident.
  • On Aug 30th 2011, various claims of both Vasco, and the Dutch government try to stress that the activities of DigiNotar under the PKIOverheid root were not affected. Some arguments used in the press such as that the root certificate of PKIOverheid is not at DigiNotar (they have an intermediate) are obvious and irrelevant.
  • On Aug 30th 2011, DigiNotar released information for users of Diginotar certificates [in Dutch]. This includes a very painful statement: (my translation): “Users of SSL certificates can depending on the browser vendor be confronted with a statement that the certificate is not trusted. This is in 99,9% of the cases incorrect, the certificate can be trusted”. I’ve got nothing positive to say about that.
    They also offer a free upgrade to the PKIOverheid realm for those holding a SSL or EVSSL certificate.
  • On Aug 31st 2011, Jan Valcke, Operational director at Vasco in an interview with “webwereld” [in Dutch] claims that “dozens” of fake certificates were issued by intruders and that most were recoked on july 19th (minus the one of *.google.com and others that might have been missed).
  • On Aug 31st 2011, it is confirmed security company Fox-IT is performing a forensic audit of the systems of DigiNotar. Results are expected next week at the earliest.
    Source: webwereld article [in Dutch]
  • On Sept 3rd 2011, a press released by the Dutch government [in Dutch] shows that after a crisis meeting the Dutch government cancels the trust they had maintained in DigiNotar after the audits by Fox-IT cannot preclude there were no PKIOverheid rogue signatures issued. They take following measures:
  • They will switch to other providers in the short term
  • They chose for a controlled transition where they take over the operational management of all DigiNotar certificates
  • By taking over the operational management they hope to monitor for abuse during the transition. They will invite security specialists to complete the transition as soon as possible.
  • DigiNotar is reported to be cooperating with the Dutch government’s takeover of the operational management and the transition to other providers.
    Vasco actually issued a very short press release on the cooperation as well. It’s dated Sept. 2nd (likely due to timezones).
  • On Sept 4th 2011, the torproject published a spreadsheet (excel and csv) claimed to come from the Dutch government that finally gives an overview of what known rogue certificates had been signed.
  • Sept 20, 2011  DigiNotar, the Dutch certificate authority which hackers compromised and used to generate hundreds of bogus web security certificates, has filed for bankruptcy.