Hackers who obtained a fraudulent digital certificate for Google may have actually obtained more than 200 digital certificates for other top internet entities such as Mozilla, Yahoo and even the privacy and anonymizing service Tor.
Dutch certificate authority DigiNotar, which was hacked in July, has never acknowledged the number of fraudulent certificates the hackers managed to obtain, nor identified the possible targets other than Google.
But a Dutch security consultant told ComputerWorld this week that “about 200 certificates were generated by the attackers.”
Hans Van de Looy, who spoke with the publication, wouldn’t reveal his source, but the number he cited is close to the number of certificates that Google has since placed on the blacklist for its Chrome web browser. On Monday, Google increased the number of certificates its browser was blacklisting from 10 to 247.
News about the hack at DigiNotar broke this weekend after reports began circulating from people in Iran who claimed they were getting browser error messages when they tried to load the Gmail website. Google subsequently confirmed that a fraudulent Google certificate issued to a non-Google entity was operating in the wild, allowing someone to conduct a man-in-the-middle attack to intercept Gmail browsing.
DigiNotar, which is owned by Illinois-based Vasco Data Security, is one of numerous firms around the world that are authorized to generate security certificates to internet entities. The certificates authenticate web pages using the Secure Socket Layer protocol so that users can trust that their encrypted communication is going to the correct location.
DigiNotar acknowledged on Monday that it discovered the breach back on July 19 and said it had revoked all of the certificates the intruders had managed to obtain. But the Google certificate, which had been generated by the intruders on July 10, managed to slip through DigiNotar’s auditors, raising speculation that the Dutch company missed others as well.
Mozilla, which makes the Firefox browser, has since acknowledged that the attackers managed to obtain a certificate for the secure page hosting addons for its browser.
DigiNotar has been criticized for not disclosing the breach earlier to browser makers or the companies, like Google and Yahoo, who have had their digital certificates commandeered.