Mozilla do a follow-up on the issue, why do they take governments word? I am not against Dutch government, even this was US government or any other under same situation, I would start to doubt on the issue and possibly even expand to other decisions the government has made.
Anyway, go read the press release of VASCO (owner of DigiNotar). I say they tried to cover up. They said they had detected on July 19th. Well, despite thats 9 days late, they seemed to inform no one, not even one of those companies which were the targets. According to Wikipedia, Yahoo!, Mozilla, WordPress and The Tor Project were also the victims.
I searched for the news and found no entries about it. Either those companies decided being quiet if DigiNotar did notify them or DigiNotar kept everything to themselves.
But I doubted DigiNotar had notified anyone, after Google got the report, they notified Mozilla as well as other browsers maker. I am sure there were more they have notified. We even need to get a short list of those companies from Wikipedia.
On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
This sounds very interesting, they only mentioned Google because thats been well known. Why they didnt list? And why didnt they said something like We have notified those domains owners for blah blah blah? That would make them look like a responsible company.
Why didnt say that because they didnt notify, thats logic conclusion, hence they dont take responsibility seriously.
As the follow-up stated no one knows how serious this actually is. I said no one which include DigiNotar because they said
Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate. [emphasis added]
Wow, at least one, may I ask which is that the one? Oh Google, yea, right, we all know about it. Its getting better, more funny, it said after it being notified by Dutch government organization Govcert. I believe Govcert was notified by Google.
I dont know if it tried to make Dutch government looks good or just being dumb to include this into press statement.
You are a company about security and you need to be notified by the government? Itd been a big news around Internet.
I truly doubt they were telling the truth about whom notifying them. Because DigiNotar must be on top 3 to be notified by Google, its the issue source, is it not? They didnt mention Google.
If you combine at least one and they had detected and revoked the certificates on July 19th, you just couldnt stop asking how on Earth they had missed one and thats Google?
You must have auditing log, how come you could miss one? If they said didnt have if they say the auditing was bypassed, oh meh I would even believe the hacker had their private key, everything.
The fun didnt stop yet,
The incident at DigiNotar has no consequences whatsoever for VASCOs core authentication technology. The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCOs strong authentication business.
Sorry DigiNotar, even your are my child, I gotta cut you off. But you cant blame VASCO and they are telling the truth, DigiNotar was bought in June. One month later, . Bad investment, I would say.
Finally, the standard part:
VASCO expects the impact of the breach of DigiNotars SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000.
VASCO does not expect that the DigiNotar security incident will have a significant impact on the companys future revenue or business plans.
Why did they try to mention its business scale? Did that mean they didnt make much, so they didnt have to take the security too serious?
May I extend second paragraph to imply investors and whoever requires security are so dumb, therefore they cant see the serious trust issue when they evaluate DigiNotar and its services?
There are two types of companies would be bought: one is having great potential and its good to add into portfolio; another is bad bad bad, so its cheap like a penny on the ground.
Which one would DigiNotar be?
1 Little serious stuff
After I deleted the certificate in Firefox, I noticed there is a system-wide DigiNotar certificate, installed by app-mise/ca-certificates from Debian.
I would say distributors does much better job on security issues.
- 2011-08-31 02:00:55 UTC Debian1, reported at 2011-08-29 21:21:35 UTC.
- 2011-09-01 15:14:49 UTC Fedora, reported at 2011-08-31 06:54:00 UTC.
- 2011-08-31 17:25:31 UTC Gentoo, reported at 2011-08-30 13:38:54 UTC.
- 2011-09-01 15:47:52 UTC Ubuntu, reported at 2011-08-30 17:32:36 UTC. (Firefox fixed at 2011-08-30 18:15:51)
Go do a system update, yep, now.
Note that Mozilla posted at 2011-08-29T02:08:56, I believe its Pacific time, that would be 2011-08-29 09:08:56 UTC.
I wrote at 2011-08-30T03:38:00 UTC and I checked DigiNotars website, it was not released at that moment.
Mozilla needed time to verify, to prepare, everyone should be notified around the same time by Google, that included VASCO and DigiNotar. One day later after Mozilla posted about it and probably longer, they hadnt released statement?
Its security matter and you can take that long? If they are smart they should have prepared a draft ten minutes later after Google just notified them. Its serious. I bet they were gambling that nothing would come up big, so they didnt prepare a statement. Which is worse? not so smart or still think they can cover up?
Of course, I assume Google did notify them.
2 Conclusion
I dont know if security business is kind of one mistake then you are done. Or one mistake, you would still be fine if you can cover up or take care of it very well. But in my opinion they are dealing with it very badly.
From what I see, DigiNotar has been distrusted by many and its not going get their trust back for a long long time. If you have your certificate removed, you are pretty much done. Wait, its blacklisted, its overcooked.
3 (Edit)
HOLOSTORY
Somewhere, sometime ago, after receiving a phone call someone fires up Microsoft Word, File, Open, Go to Desktop, Misc folder, Misc of Misc folder, Backup folder, Misc folder, Company folder, .
Nope, not that one, not the My Cat folder, THE company folder, yes, that one. Press Release folder, BEST Universal Template (by YOUR OFFICE SAVIOR company) folder, Emergency word file.
Edit the title, Use Search/Replace to replace the names. Change the date. Spell Checker. Double check or call in his/her intern or drag-and-drop on interns contact on IM, then drop a line saying chk8vthing, close the chat box, then switch status to DND from Busy.
While his/her intern is making sure hiring the intern every penny is worth, this person resumes his/her Solitaire and Bejeweled and the score continues to climb up
PRESS RELEASE
TOSS MOTHERSHIP, Voidspace Stardate 56789.0 PROTOSS Inc.
The holostory scattering on every subspace channel implying about PROTOSS probe is just pure cheese and it has nothing to do whatsoever readers think about someone or something. If the scenario was indeed happening in real world, its completely coincident.
Those information in the story is completed shenanigan, the sheild is not bleached and everything is functioning at capability 100.01%.
PROTOSS expects the impact of fabric story to be minimal. Through Stardate 56234.2 to 56770.4, revenue was less than Gold-Pressed Latinum 100,000.
PROTOSS does not expect this incident will have a significant impact on the its future mineral revenue or production plans.
This press release is approved by FCA with Rule Acquisition 203 and 239.