DigiNotar

Last updated

DigiNotar BV
TypeSubsidiary of a publicly traded company
Industry Internet security
Founded1998 (1998)
FounderDick Batenburg
DefunctSeptember 20, 2011 (2011-09-20)
Fateacquired by VASCO Data Security International, Inc. in 2010; declared bankrupt in 2011
Headquarters
Beverwijk
,
Netherlands
Products Public key certificates
Services Certificate authority
OwnerVASCO Data Security International
Website Archived April 27, 2008, at the Wayback Machine

DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc. [1] [2]

Contents

Overview

On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems. [3] That same month, the company was declared bankrupt. [4] [5]

An investigation into the hacking by Dutch-government appointed Fox-IT consultancy identified 300,000 Iranian Gmail users as the main target of the hack (targeted subsequently using man-in-the-middle attacks), and suspected that the Iranian government was behind the hack. [6] While nobody has been charged with the break-in and compromise of the certificates (as of 2013), cryptographer Bruce Schneier says the attack may have been "either the work of the NSA, or exploited by the NSA." [7] However, this has been disputed, with others saying the NSA had only detected a foreign intelligence service using the fake certificates. [8] The hack has also been claimed by the so-called Comodohacker, allegedly a 21-year-old Iranian student, who also claimed to have hacked four other certificate authorities, including Comodo, a claim found plausible by F-Secure, although not fully explaining how it led to the subsequent "widescale interception of Iranian citizens". [9]

After more than 500 fake DigiNotar certificates were found, major web browser makers reacted by blacklisting all DigiNotar certificates. [10] The scale of the incident was used by some organizations like ENISA and AccessNow.org to call for a deeper reform of HTTPS in order to remove the weakest link possibility that a single compromised CA can affect that many users. [11] [12]

Company

DigiNotar's main activity was as a certificate authority, issuing two types of certificate. First, they issued certificates under their own name (where the root CA was "DigiNotar Root CA"). [13] Entrust certificates were not issued since July 2010, but some were still valid up to July 2013. [14] [15] Secondly, they issued certificates for the Dutch government's PKIoverheid ("PKIgovernment") program. This issuance was via two intermediate certificates, each of which chained up to one of the two "Staat der Nederlanden" root CAs. National and local Dutch authorities and organisations offering services for the government who want to use certificates for secure internet communication can request such a certificate. Some of the most-used electronic services offered by Dutch governments used certificates from DigiNotar. Examples were the authentication infrastructure DigiD and the central car-registration organisation Netherlands Vehicle Authority  [ nl ] (RDW).

DigiNotar's root certificates were removed from the trusted-root lists of all major web browsers and consumer operating systems on or around August 29, 2011; [16] [17] [18] the "Staat der Nederlanden" roots were initially kept because they were not believed to be compromised. However, they have since been revoked.

History

DigiNotar was originally set up in 1998 by the Dutch notary Dick Batenburg from Beverwijk and the Koninklijke Notariële Beroepsorganisatie  [ nl ], the national body for Dutch civil law notaries. The KNB offers all kind of central services to the notaries, and because many of the services that notaries offer are official legal procedures, security in communications is important. The KNB offered advisory services to their members on how to implement electronic services in their business; one of these activities was offering secure certificates.

Dick Batenburg and the KNB formed the group TTP Notarissen (TTP Notaries), where TTP stands for trusted third party. A notary can become a member of TTP Notarissen if they comply with certain rules. If they comply with additional rules on training and work procedures, they can become an accredited TTP Notary. [19]

Although DigiNotar had been a general-purpose CA for several years, they still targeted the market for notaries and other professionals.

On January 10, 2011, the company was sold to VASCO Data Security International. [1] In a VASCO press release dated June 20, 2011, one day after DigiNotar first detected an incident on their systems [20] VASCO's president and COO Jan Valcke is quoted as stating "We believe that DigiNotar's certificates are among the most reliable in the field." [21]

Bankruptcy

On September 20, 2011, Vasco announced that its subsidiary DigiNotar was declared bankrupt after filing for voluntary bankruptcy at the Haarlem court. Effective immediately the court appointed a receiver, a court-appointed trustee who takes over the management of all of DigiNotar's affairs as it proceeds through the bankruptcy process to liquidation. [4] [22]

Refusal to publish report

The curator (court-appointed receiver) didn't want the report from ITSec to be published, as it might lead to additional claims towards DigiNotar.[ citation needed ] The report covered the way the company operated and details of the hack of 2011 that led to its bankruptcy.[ citation needed ]

The report was made on request of the Dutch supervisory agency OPTA who refused to publish the report in the first place. In a freedom of information ( Wet openbaarheid van bestuur  [ nl ]) procedure started by a journalist, the receiver tried to convince the court not to allow publication of this report, and to confirm the OPTA's initial refusal to do so. [23]

The report was ordered to be released, and was made public in October 2012. It shows a near total compromise of the systems.

Issuance of fraudulent certificates

On July 10, 2011, an attacker with access to DigiNotar's systems issued a wildcard certificate for Google. This certificate was subsequently used by unknown persons in Iran to conduct a man-in-the-middle attack against Google services. [24] [25] On August 28, 2011, certificate problems were observed on multiple Internet service providers in Iran. [26] The fraudulent certificate was posted on Pastebin. [27] According to a subsequent news release by VASCO, DigiNotar had detected an intrusion into its certificate authority infrastructure on July 19, 2011. [28] DigiNotar did not publicly reveal the security breach at the time.

After this certificate was found, DigiNotar belatedly admitted dozens of fraudulent certificates had been created, including certificates for the domains of Yahoo!, Mozilla, WordPress and The Tor Project. [29] DigiNotar could not guarantee all such certificates had been revoked. [30] Google blacklisted 247 certificates in Chromium, [31] but the final known total of misissued certificates is at least 531. [32] Investigation by F-Secure also revealed that DigiNotar's website had been defaced by Turkish and Iranian hackers in 2009. [33]

In reaction, Mozilla revoked trust in the DigiNotar root certificate in all supported versions of its Firefox browser and Microsoft removed the DigiNotar root certificate from its list of trusted certificates with its browsers on all supported releases of Microsoft Windows. [34] [35] Chromium / Google Chrome was able to detect the fraudulent *.google.com certificate, due to its "certificate pinning" security feature; [36] however, this protection was limited to Google domains, which resulted in Google removing DigiNotar from its list of trusted certificate issuers. [24] Opera always checks the certificate revocation list of the certificate's issuer and so they initially stated they did not need a security update. [37] [38] However, later they also removed the root from their trust store. [39] On September 9, 2011, Apple issued Security Update 2011-005 for Mac OS X 10.6.8 and 10.7.1, which removes DigiNotar from the list of trusted root certificates and EV certificate authorities. [40] Without this update, Safari and Mac OS X do not detect the certificate's revocation, and users must use the Keychain utility to manually delete the certificate. [41] Apple did not patch iOS until October 13, 2011, with the release of iOS 5. [42]

DigiNotar also controlled an intermediate certificate which was used for issuing certificates as part of the Dutch government’s public key infrastructure "PKIoverheid" program, chaining up to the official Dutch government certification authority (Staat der Nederlanden). [43] Once this intermediate certificate was revoked or marked as untrusted by browsers, the chain of trust for their certificates was broken, and it was difficult to access services such as the identity management platform DigiD and the Tax and Customs Administration. [44] GOVCERT.NL  [ nl ], the Dutch computer emergency response team, initially did not believe the PKIoverheid certificates had been compromised, [45] although security specialists were uncertain. [30] [46] Because these certificates were initially thought not to be compromised by the security breach, they were, at the request of the Dutch authorities, kept exempt from the removal of trust [43] [47] – although one of the two, the active "Staat der Nederlanden - G2" root certificate, was overlooked by the Mozilla engineers and accidentally distrusted in the Firefox build. [48] However, this assessment was rescinded after an audit by the Dutch government, and the DigiNotar-controlled intermediates in the "Staat der Nederlanden" hierarchy were also blacklisted by Mozilla in the next security update, and also by other browser manufacturers. [49] The Dutch government announced on September 3, 2011, that they will switch to a different firm as certificate authority. [50]

Steps taken by the Dutch government

After the initial claim that the certificates under the DigiNotar-controlled intermediate certificate in the PKIoverheid hierarchy weren't affected, further investigation by an external party, the Fox-IT consultancy, showed evidence of hacker activity on those machines as well. Consequently, the Dutch government decided on September 3, 2011, to withdraw their earlier statement that nothing was wrong. [51] (The Fox-IT investigators dubbed the incident "Operation Black Tulip". [52] ) The Fox-IT report identified 300,000 Iranian Gmail accounts as the main victims of the hack. [6]

DigiNotar was only one of the available CAs in PKIoverheid, so not all certificates used by the Dutch government under their root were affected. When the Dutch government decided that they had lost their trust in DigiNotar, they took back control over the company's intermediate certificate in order to manage an orderly transition, and they replaced the untrusted certificates with new ones from one of the other providers. [51] The much-used DigiD platform now[ when? ] uses a certificate issued by Getronics PinkRoccade Nederland B.V. [53] According to the Dutch government, DigiNotar gave them its full co-operation with these procedures.

After the removal of trust in DigiNotar, there are now[ when? ] four Certification Service Providers (CSP) that can issue certificates under the PKIoverheid hierarchy: [54]

  • Digidentity [55]
  • ESG or De Electronische Signatuur [56]
  • QuoVadis [57]
  • KPN Certificatiedienstverlening

All four companies have opened special help desks and/or published information on their websites as to how organisations that have a PKIoverheid certificate from DigiNotar can request a new certificate from one of the remaining four providers. [55] [56] [57] [58]

See also

Related Research Articles

X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the Telecommunication Standardization Sector of the International Telecommunication Union (ITU-T). ITU-T was formerly known as the Consultative Committee for International Telephony and Telegraphy (CCITT). X.500 was first approved in 1988. The directory services were developed to support requirements of X.400 electronic mail exchange and name lookup. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) were partners in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO/IEC identification.

In cryptography and computer security, a man-in-the-middle (MITM) attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within the reception range of an unencrypted Wi-Fi access point could insert themselves as a man-in-the-middle. As it aims to circumvent mutual authentication, a MITM attack can succeed only when the attacker impersonates each endpoint sufficiently well to satisfy their expectations. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

<span class="mw-page-title-main">Root certificate</span> Certificate identifying a root authority

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string. For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">Verisign</span> American Internet company

Verisign Inc. is an American company based in Reston, Virginia, United States, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc country-code top-level domains, and the back-end systems for the .jobs and .edu sponsored top-level domains.

In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; the third party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the relying parties use this trust to secure their own interactions. TTPs are common in any number of commercial transactions and in cryptographic digital transactions as well as cryptographic protocols, for example, a certificate authority (CA) would issue a digital certificate to one of the two parties in the next example. The CA then becomes the TTP to that certificate's issuance. Likewise transactions that need a third party recordation would also need a third-party repository service of some kind.

CyberTrust was a security services company formed in Virginia in November 2004 from the merger of TruSecure and Betrusted. Betrusted previously acquired GTE Cybertrust. Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium, to become one of the largest information security firms in the world. It was acquired by Verizon Business in 2007. In 2015, the CyberTrust root certificates were acquired by DigiCert, Inc., a leading global Certificate Authority (CA) and provider of trusted identity and authentication services.

Thawte Consulting is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collectively the third largest public CA on the Internet with 17.2% market share.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey.

GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business in August 2017 to private equity and growth capital firm Thoma Bravo LLC. GeoTrust was the first certificate authority to use the domain-validated certificate method which accounts for 70 percent of all SSL certificates on the Internet. By 2006, GeoTrust was the 2nd largest certificate authority in the world with 26.7 percent market share according to independent survey company Netcraft.

<span class="mw-page-title-main">Balatarin</span>

Balatarin is a Persian language social and political link-sharing website aimed primarily at Iranian audiences. Balatarin does not generate news in-house but provides a hub where users can post links to webpages of their choice, vote on their relevance or significance, and post comments. New links initially go to the "recently posted" page; as they collect positive votes, they gain a higher rank and move to the front page, which increases their visibility. Combining the technical attributes of reddit, digg, newsvine, and del.icio.us, Balatarin is a mission-oriented platform dedicated to enabling and fostering freedom of expression and information for the benefit of Iranian society.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. As a certificate authority (CA) and trusted third party, DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

StartCom was a certificate authority founded in Eilat, Israel, and later based in Beijing, China, that had three main activities: StartCom Enterprise Linux, StartSSL and MediaHost. StartCom set up branch offices in China, Hong Kong, the United Kingdom and Spain. Due to multiple faults on the company's end, all StartCom certificates were removed from Mozilla Firefox in October 2016 and Google Chrome in March 2017, including certificates previously issued, with similar removals from other browsers expected to follow.

DigiD is an identity management platform which government agencies of the Netherlands, including the Tax and Customs Administration and Dienst Uitvoering Onderwijs, can use to verify the identity of Dutch residents on the Internet. In 2015 it was used for 200 million authentications by 12 million citizens. The system is tied to the Dutch national identification number. The system has been mandatory when submitting tax forms electronically since 2006.

Convergence was a proposed strategy for replacing SSL certificate authorities, first put forth by Moxie Marlinspike in August 2011 while giving a talk titled "SSL and the Future of Authenticity" at the Black Hat security conference. It was demonstrated with a Firefox addon and a server-side notary daemon.

Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.

OneSpan is a publicly traded cybersecurity technology company based in Chicago, Illinois, with offices in Montreal, Brussels and Zurich. The company offers a cloud-based and open-architected anti-fraud platform and is historically known for its multi-factor authentication and electronic signature software.

References

  1. 1 2 "VASCO Data Security International, Inc. announces the acquisition of DigiNotar B.V., a market leader in Internet trust services in the Netherlands" (Press release). VASCO. January 10, 2011. Archived from the original on September 17, 2011. Retrieved August 31, 2011.
  2. van der Meulen, Nicole (June 2013). "DigiNotar: Dissecting the First Dutch Digital Disaster". Journal of Strategic Security. 6 (2): 46–58. doi: 10.5038/1944-0472.6.2.4 . ISSN   1944-0464.
  3. Website Govcert Factsheet discovery fraudulent certificates Archived October 8, 2011, at the Wayback Machine . Retrieved September 6, 2011.
  4. 1 2 "VASCO Announces Bankruptcy Filing by DigiNotar B.V." (Press release). VASCO Data Security International. September 20, 2011. Archived from the original on September 23, 2011. Retrieved September 20, 2011.
  5. Wolff, Josephine (December 21, 2016). "How a 2011 Hack You've Never Heard of Changed the Internet's Infrastructure". Slate. ISSN   1091-2339 . Retrieved June 30, 2023.
  6. 1 2 Gregg Keizer (September 6, 2011). "Hackers spied on 300,000 Iranians using fake Google certificate". Computerworld. Archived from the original on February 2, 2014. Retrieved January 24, 2014.
  7. "New NSA Leak Shows Man-In-The-Middle Attacks Against Major Internet Services". September 13, 2013. Archived from the original on September 20, 2013. Retrieved September 14, 2013.
  8. Rouwhorst, Koen (September 14, 2013). "No, the NSA was not behind the DigiNotar hack". Archived from the original on November 20, 2013. Retrieved November 19, 2013.
  9. "Comodo hacker claims credit for DigiNotar attack". PC World Australia. September 6, 2011. Archived from the original on February 2, 2014. Retrieved January 24, 2014.
  10. Bright, Peter (September 6, 2011). "Comodo hacker: I hacked DigiNotar too; other CAs breached". Ars Technica. Archived from the original on April 17, 2012. Retrieved April 29, 2019.
  11. "Operation Black Tulip: Certificate authorities lose authority". www.enisa.europa.eu. Archived from the original on April 22, 2014. Retrieved January 24, 2014.
  12. "The weakest link in the chain: Vulnerabilities in the SSL certificate authority system and what should be done about them. An Access Policy Brief Regarding the Consequences of the DigiNotar breach for Civil Society and Commercial Enterprise" (PDF). Archived (PDF) from the original on October 6, 2018. Retrieved February 20, 2019.
  13. "Overzicht actuele rootcertificaten" [Survey of current root certificates] (in Dutch). DigiNotar. Archived from the original on August 31, 2011. Retrieved September 12, 2011.
  14. "Entrust in relation with Diginotar". Ssl.entrust.net. September 14, 2011. Archived from the original on April 2, 2012. Retrieved February 1, 2012.
  15. A print screen of a Diginotar certificate under the Entrust chain
  16. "Microsoft Security Advisory 2607712". technet.microsoft.com. Archived from the original on June 10, 2016. Retrieved June 16, 2016.
  17. "An update on attempted man-in-the-middle attacks". Google Online Security Blog. Archived from the original on June 10, 2016. Retrieved June 16, 2016.
  18. "Fraudulent *.google.com Certificate". Mozilla Security Blog. Archived from the original on May 25, 2022. Retrieved June 16, 2016.
  19. Website Diginotar on TTP Notarissen Archived August 31, 2011, at the Wayback Machine .
  20. FOX-IT Interim Report, v1.0 Archived April 21, 2015, at the Wayback Machine (but before any certificates were misissued), Timeline, page 13. Retrieved September 5, 2011.
  21. "VASCO Tackles Global SSL-Certificate Market". MarketWatch. June 20, 2011.
  22. Pressrelease Court of Haarlem on DigiNotar Archived September 24, 2011, at the Wayback Machine , 20 September 2011. Retrieved September 27, 2011.
  23. Newssite nu.nl: Receiver afraid of more claims Archived June 30, 2012, at the Wayback Machine (Dutch), 22 June 2012. Visited: 25 June 2012.
  24. 1 2 Heather Adkins (August 29, 2011). "An update on attempted man-in-the-middle attacks". Archived from the original on September 13, 2011. Retrieved August 30, 2011.
  25. Elinor Mills. "Fraudulent Google certificate points to Internet attack". Archived October 8, 2011, at the Wayback Machine CNET , 8/29/2011.
  26. Charles Arthur (August 30, 2011). "Faked web certificate could have been used to attack Iran dissidents". The Guardian . Archived from the original on August 26, 2017. Retrieved August 30, 2011.
  27. "Fraudulent certificate triggers blocking from software companies". Heise Media UK Ltd. August 30, 2011. Archived from the original on April 28, 2012.
  28. "DigiNotar reports security incident". VASCO Data Security International. August 30, 2011. Archived from the original on August 31, 2011. Retrieved September 1, 2011.
  29. "Mogelijk nepsoftware verspreid naast aftappen Gmail". Sanoma Media Netherlands groep. August 31, 2011. Archived from the original on December 4, 2011. Retrieved August 31, 2011.
  30. 1 2 "DigiNotar: mogelijk nog valse certificaten in omloop". IDG Nederland. August 31, 2011. Archived from the original on February 10, 2012. Retrieved August 31, 2011.
  31. Keizer, Gregg (August 31, 2011). "Hackers may have stolen over 200 SSL certificates". F-Secure. Archived from the original on September 3, 2011. Retrieved September 1, 2011.
  32. Markham, Gervase (September 4, 2011). "Updated DigiNotar CN List". Archived from the original on October 21, 2011. Retrieved September 20, 2011.
  33. Hypponen, Mikko (August 30, 2011). "DigiNotar Hacked by Black.Spook and Iranian Hackers". Archived from the original on September 25, 2011. Retrieved August 31, 2011.
  34. "Fraudulent Digital Certificates Could Allow Spoofing". Microsoft Security Advisory (2607712). Microsoft. August 29, 2011. Retrieved August 30, 2011.
  35. Johnathan Nightingale (August 29, 2011). "Fraudulent *.google.com Certificate". Mozilla Security Blog. Mozilla. Archived from the original on September 21, 2011. Retrieved August 30, 2011.
  36. "What The DigiNotar Security Breach Means For Qt Users". MeeGo Experts. September 10, 2011. Archived from the original on March 24, 2012. Retrieved September 13, 2011.
  37. "Opera 11.51 released". Opera Software. August 30, 2011. Archived from the original on October 5, 2011. Retrieved September 1, 2011.
  38. Vik, Sigbjørn (August 30, 2011). "When Certificate Authorities are Hacked". Opera Software. Archived from the original on October 8, 2011. Retrieved September 1, 2011.
  39. "DigiNotar Second Step: Blacklisting the Root". Opera Software. September 8, 2011. Archived from the original on November 11, 2011. Retrieved September 20, 2011.
  40. "About Security Update 2011-005". Apple. September 9, 2011. Archived from the original on September 25, 2011. Retrieved September 9, 2011.
  41. "Safari users still susceptible to attacks using fake DigiNotar certs". Ars Technica. September 1, 2011. Archived from the original on October 12, 2011. Retrieved September 1, 2011.
  42. "About the security content of iOS 5 Software Update". Apple. October 13, 2011. Archived from the original on February 5, 2009. Retrieved October 13, 2014.
  43. 1 2 Johnathan Nightingale (September 2, 2011). "DigiNotar Removal Follow Up". Mozilla Security Blog. Archived from the original on September 21, 2011. Retrieved September 4, 2011.
  44. Schellevis, Joost (August 30, 2011). "Firefox vertrouwt certificaat DigiD niet meer". Tweakers.net (in Dutch). Archived from the original on September 28, 2011. Retrieved August 30, 2011.
  45. "Frauduleus uitgegeven beveiligingscertificaat". August 30, 2011. Archived from the original on October 6, 2011. Retrieved August 31, 2011.
  46. Schellevis, Joost (August 31, 2011). "Overheid vertrouwt blunderende ssl-autoriteit". Tweakers.net (in Dutch). Archived from the original on September 28, 2011. Retrieved August 31, 2011.
  47. Schellevis, Joost (August 31, 2011). "Firefox vertrouwt DigiD toch na verzoek Nederlandse overheid". Tweakers.net (in Dutch). Archived from the original on September 28, 2011. Retrieved August 31, 2011.
  48. "Bugzilla@Mozilla – Bug 683449 - Remove the exemptions for the Staat der Nederlanden root". Archived from the original on May 2, 2012. Retrieved September 5, 2011.
  49. Gervase Markham (September 3, 2011). "DigiNotar Compromise". Archived from the original on September 25, 2011. Retrieved September 3, 2011.
  50. "Security of Dutch government websites in jeopardy". Radio Netherlands Worldwide. September 3, 2011. Archived from the original on September 27, 2011. Retrieved September 3, 2011.
  51. 1 2 Newsrelease Dutch Government: Overheid zegt vertrouwen in de certificaten van Diginotar op Archived October 17, 2011, at the Wayback Machine , September 3, 2011. Retrieved September 5, 2011.
  52. Charette, Robert (September 9, 2011). "DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands - IEEE Spectrum". Spectrum.ieee.org. Archived from the original on February 3, 2014. Retrieved January 24, 2014.
  53. See certificate on Request DigiD account [ permanent dead link ]. Retrieved September 5, 2011.
  54. Website Logius:Replacing Certificates. Retrieved September 5, 2011.
  55. 1 2 "PKIoverheid SSL". Archived from the original on July 12, 2012.
  56. 1 2 PKIOverheids certificates Archived October 10, 2011, at the Wayback Machine . Retrieved September 5, 2011.
  57. 1 2 Website Dutch office of Quovadis on PKIOverheid Archived October 10, 2011, at the Wayback Machine . Retrieved September 5, 2011.
  58. Website Getronics on Requesting PKIOverheid certificate Archived October 10, 2011, at archive.today . Retrieved September 5, 2011.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.