DigiNotar B.V., a unit of VASCO Data Security International, Inc., is an Internet Trust Service Provider based in the Netherlands. Part of their business involves issuing digital certificates. In other words, they are a CA, or Certificate Authority.
You use digital certificates when you access a secure website, for example. If the certificate presented to your browser by the website is valid, no problem. But if for any your browser does not trust the website’s certificate, it will throw up a page complaining that the website’s certificate is not valid, or has expired. And you will usually be given the choice to issue a security exception or exit from the session.
Unless you can verify by some other means, issuing security exceptions for invalid or expired certificates is a very bad idea. As paranoid as I can be about security matters, I have been guilty of that several times. I will have to raise my level of cautiousness to another level.
In any case, DigiNotar’s security system was compromised and they failed to notify everybody they were supposed to. A result of that breach is that fake certificates were issued – in DigiNotar’s name – for Mozilla, WordPress, Yahoo!, the TOR Project, and some other websites.
Most of the original press coverage is not in English, but Swa Frantzen has translated some of the published materials from Dutch.
The extent of the damage, or potential for damage, is so bad that The Mozilla Foundation, publishers of the Firefox Web browser, revoked digital certificates issued by DigiNotar. Bad news.
Update: The alleged hacker behind the DigiNotar breach has said that “I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will.”
If you are using Firefox or other re-branded Web browser derived from it, and updates have not been available yet, delete DigiNotar from the list of Certificate Authorities.
Here’s how to do it.
From the browser’s menu, select Edit > Preferences. The Preferences window, shown below, should open. Click on “Advanced,” then on the Encryption tab, then on “View Certificates” button.
Scroll down until you see the entry for DigiNotar. Select it, then click on Delete.
Exactly what we want to happen. OK. Back to the previous window, click OK to close it, then click Close on the Preferences window.
That should do it.