|
DigiNotar was a Dutch certificate authority owned by VASCO Data Security International. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.〔Website Govcert (Factsheet discovery fraudulent certificates ). Retrieved September 6, 2011.〕 That same month, the company was declared bankrupt. An investigation into the hacking by Dutch-government appointed Fox-IT consultancy identified 300,000 Iranian Gmail users as the main target of the hack (targeted subsequently using man-in-the-middle attacks), and suspected that Iranian government was behind the hack.〔 While nobody has been charged with the break-in and compromise of the certificates (), cryptographer Bruce Schneier says the attack may have been "either the work of the NSA, or exploited by the NSA."〔(【引用サイトリンク】title=New NSA Leak Shows Man-In-The-Middle Attacks Against Major Internet Services )〕 However, this has been disputed, with others saying the NSA had only detected a foreign intelligence service using the fake certificates. The hack has also been claimed by the so-called Comodohacker, allegedly a 21-year-old Iranian student, who also claimed to have hacked four other certificate authorities, including Comodo, a claim found plausible by F-Secure, although not fully explaining how it led to the subsequent "widescale interception of Iranian citizens". After more than 500 fake DigiNotar certificates were found, major web browser makers reacted by blacklisting all DigiNotar certificates.〔http://arstechnica.com/security/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached/〕 The scale of the incident was used by some organizations like ENISA and AccessNow.org to call for a deeper reform of HTTPS in order to remove the weakest link possibility that a single compromised CA can affect that many users.〔https://www.enisa.europa.eu/media/news-items/operation-black-tulip〕〔(The weakest link in the chain: Vulnerabilities in the SSLcertificate authority system and what should be done about them. An Access Policy Brief Regarding the Consequences of the DigiNotar breach for Civil Society and Commercial Enterprise )〕 == Company == DigiNotar's main activity was as a Certificate Authority, issuing two types of certificate. Firstly, they issued certificates under their own name (where the root CA was "DigiNotar Root CA"). Entrust certificates were not issued since July 2010, but some were still valid up to July 2013.〔A print screen of a Diginotar certificate under the Entrust chain〕 Secondly, they issued certificates for the Dutch government's PKIoverheid ("PKIgovernment") program. This issuance was via two intermediate certificates, each of which chained up to one of the two "Staat der Nederlanden" root CAs. National and local Dutch authorities and organisations offering services for the government who want to use certificates for secure internet communication can request such a certificate. Some of the most-used electronic services offered by Dutch governments used certificates from DigiNotar. Examples were the authentication infrastructure DigiD and the central car-registration organisation Rijksdienst voor het Wegverkeer. The "DigiNotar Root CA" root was included in the trusted root lists of common internet client software but has now been removed; the "Staat der Nederlanden" roots were initially kept because they were not believed to be compromised. However, they have since been revoked. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「DigiNotar」の詳細全文を読む スポンサード リンク
|