DigiNotar Removal Follow Up

Johnathan Nightingale


Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla. This is particularly troubling since some of the certificates were issued for our own addons.mozilla.org domain.

2) The scope of the breach remains unknown. While we were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. We now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.

3) The attack is not theoretical. We have received multiple reports of these certificates being used in the wild.

Mozilla has a strong history of working with CAs to address shared technical challenges, as well as responding to and containing breaches when they do arise. In an incident earlier this year we worked with Comodo to block a set of mis-issued certificates that were detected, contained, and reported to us immediately. In DigiNotar’s case, by contrast, we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches.

Staat der Nederlanden Certificates

DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden). The Dutch government’s Computer Emergency Response Team (GovCERT) indicated that these certificates are issued independently of DigiNotar’s other processes and that, in their assessment, these had not been compromised. The Dutch government therefore requested that we exempt these certificates from the removal of trust, which we agreed to do in our initial security update early this week.

The Dutch government has since audited DigiNotar’s performance and rescinded this assessment. We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products. We understand that other browser vendors are making similar changes. We’re also working with our Dutch localizers and the Bits of Freedom group in the Netherlands to contact individual site operators using affected certificates (based on the EFF’s SSL Observatory data).

The integrity of the SSL system cannot be maintained in secrecy. Incidents like this one demonstrate the need for active, immediate and comprehensive communication between CAs and software vendors to keep our collective users safe online.

Johnathan Nightingale
Director of Firefox Engineering

70 responses

  1. Dave wrote on :

    >The sad thing is you can’t even blame race-to-the-bottom pricing
    >in this case, the DigiNotar certs were about a thousand euros.

    Diginotar had been issued a monopoly license to print money by the Dutch government. It’s surprising they didn’t charge a million euros per cert, since there was no-one else you could go to.

  2. Thaddy wrote on :

    As a Dutchman and as a security professional I really appreciate this.
    I suspect this was always the deal: hardcoded exceptions is pollution.
    Our government was sensible enough to agree and just needed a couple of days to do the assessments. Am I right?
    I think this goes to show that at least our government is not afraid to take extreme and never seen before action at short notice.
    Now, how did Comodo got away with almost the same?

  3. Jeroen wrote on :

    When will the update be ready? Dutch citizens communicating with the government have been vulnerable since July 10 — it is confirmed that the PKI Overheid chains were also hacked — they need security warnings ASAP.

  4. colfer wrote on :

    Why is the July 1 exemption still in the code?

  5. Daniel Veditz wrote on :

    Jeroen: We’re currently testing the fix and plan to release Tuesday morning. If people are impatient to get the fix they can download an “Aurora” build from http://www.mozilla.org/en-US/firefox/channel/ or download the candidates themselves from



  6. Daniel Veditz wrote on :

    jmdesp: we’re considering cert pinning but would prefer a distributed model to Google’s hardcoding–hardcoding doesn’t scale and not very open. Still, it clearly works and might be better than nothing in the short-term.

  7. piet wrote on :

    Too bad the 6.0.1 update has the “Staat der Nederlanden” exception built-in. I can’t untrust the diginotar cert that’s subordinate to “Staat der Nederlanden” manually either it seems.

  8. Daniel Veditz wrote on :

    Ken Dawber: a “competent party” taking over DigiNotar’s root and responsibilities doesn’t put the genie back in the bottle — an unknown number of fraudulent certificates are out there and being used and not enough is known to block just those certificates. It is unfortunate this action impacts other innocent DigiNotar customers but it is the only remedy. DigiNotar’s failing puts everyone on the web at risk, many multiples more people than are harmed by yanking DigiNotar.

    “Judge, Jury and Executioner” doesn’t apply.DigiNotar does not have a right to a trusted root in Mozilla products, and Mozilla’s action only affects Mozilla’s users. DigiNotar is free to continue using their certificate and users who think we’ve made the wrong call are free to use another browser.

  9. Thaddy wrote on :

    Staat der Nerderlanden is also withdrawn. Jeroen: ITYS
    Good and sensible handling by all parties, btw.

  10. Name wrote on :

    This blog post does not explain why Mozilla gave credulence to the Dutch government’s assertions that the PKIoverheid program was safe. Especially in light of the revelation that the Dutch government itself concluded that this assertion was false, I think this warrants a little more commentary on Mozilla’s behest.

  11. Bob Relyea wrote on :

    re: datebase revocation.

    That’s an idea that we are looking at implementing. The Comodo case showed holes in our ability to knock out specific certificates. Patches for some of these issues are still working their way in our system. DigiNotar has now shown other holes. We’ve handled both of these cases initially way up in the PSM processing of of SSL certificates because it provided us with the broadest coverage for the quickest time. Patches would handle some of these issues are making their way through the system. As they get applied, additional patches will help fill in the holes.

    Date based revocation (where the valid dates a leaf cert can have is constrained by the CA) is definately in the cards. In addition, we may make the constraint on a public key or String in the DN as well.

  12. Thaddy wrote on :

    IMNSHO opinion: the Comodo case still sucks. I think the Dutch government did an unprecedented step to acknowledge the insecurity of their certificates. And in only three days (this is a government, mind you)

    This is a GOOD thing for the internet, just as the Comodo case is a BAD thing.

    And open source proved its strength, if I would have read the hardcoded snippets about the exclusion/inclusion of certain certificate series and it was April fool’s day you “wouldn’t have fooled me”…

  13. thaddy wrote on :

    Jeroen, Piet: the security warnings are mostly in place, I am surprised to say. But if Donner says so, somebody listens and the rest falls to sleep (Dutch Joke):
    For the non – Dutch: The Dutch government withdrew all certificates of DigiNotar AND all public ones issued by itself and most of the affected sites indeed show an appropiate warning.
    Some rather big municipalities DO NOT COMPLY YET however, exposing a potential 4 mil. (as of saterday 23:00 CET).

    And the government has given ample warning internally the last few days and externally from yesterday. They also withdrew all statements that anything was safe. The reversed it: nothing is safe, unless.

    Which it seems is in a large part due to temporary patchwork from the side of the internet community as a whole.
    All in all: seems to be handled in a sensible way. I really can’t imagine a better short term solution than seems to be executed in this case.

    We are experiencing/living history here, nobody get’s that?

  14. Boris wrote on :

    Jasem, it’s still in the Cert store so it can be marked explicitly untrusted without possibility of override. Your removing it makes it like any other unknown certificate (that is, gives you the option to trust it when you see it). As in, it makes you _less_ secure.

  15. Alex Bishop wrote on :

    Ramón Antonio said: “Don’t know what is the policy to select CA”

    It’s described at: http://www.mozilla.org/projects/security/certs/policy/

  16. colfer wrote on :

    The date exemption for being able to override is still in the code:

    security/manager/ssl/src/nsNSSCallbacks.cpp on mozilla-release:
    1043 // If any involved cert was issued by DigiNotar,
    1044 // and serverCert was issued after 01-JUL-2011,
    1045 // then worsen the error to revoked.

    Aside from there being no evidence July 1 is a safe cut-off, can the dates be forged?

  17. Metasansana wrote on :

    My my, isn’t it an exciting time to be into Internet security?

  18. rbdg wrote on :

    Echoing what @jasem said earlier. Installed v6.0.1 @ 0500Hr (GMT+8) today and found DigiNotar STILL listed as trusted CA.

    The worst part of it all is that I was running v5.0 before the update and had ALREADY REMOVED DigiNotar MANUALLY.

    QUESTION for JN:
    Does it mean that FF minor/major version updates/upgrades have/will routinely ignored/ignore custom CA additions/removals and have/will always overwritten/overwrite the customized CA list???

    Been a FF fan for years, but maybe it’s time to ponder switching over to Chrome fulltime? *SIGH*

  19. Hay wrote on :

    Hi everyone,
    one of thing that isn’t clear to me after reading all the news on the revoking of the root Staat der Nederlanden CA certificate is what will happen to older browsers. It is a well known fact that users are slow in upgrading their older browsers, so what will happen if a user with an older browser visits a site using the affected root CA? And if the Staat der Nederlanden releases a new certificate how do they get that in their browser? I’ve read some stuff about Windows automatically updating certificates with Windows Update, but i’m not sure if that also affects Firefox and other browsers.

  20. Robert wrote on :

    Fox-IT has just released an interim report on the DigiNotar breach.
    Available at http://tweakimg.net/files/upload/Operation+Black+Tulip+v1.0.pdf

More comments: 1 2 3 4