Microsoft out-of-cycle patch to fix DigiNotar bogus certificates

David Heath
Thursday, 08 September 2011 15:46

Business IT - Security

Some weeks ago, nefarious people hacked a digital certificate vendor and issued themselves bogus certificates.  The main browser producers are responding.  iTWire recommends updating ALL browsers immediately.

Some time in July, Dutch-based Certificate Authority DigiNotar was infiltrated and (at last count) over 500 bogus certificates were issued.

What does this mean to the average Internet user?

Simply that using a bogus certificate, it is trivial for a technically competent person to have their own web server pretend to be (for instance) Gmail and convince Internet users to connect tot heir site.  The browser will accept the (bogus) signed certificate as proof of the validity of the website and show the secure padlock (or green URL bar) to indicate all is OK.

Unfortunately all is NOT OK!

As yet, it cannot be determined how many certificates were issued (beyond those already detected) and for what web sites, so to show as much caution as possible, browser manufacturers are revoking the acceptance of ALL certificates issued by DigiNotar.

Early evidence suggests that this was designed to target Iranian Internet users - possibly to gain as much information about anti-government people as possible (email addresses & passwords, Facebook accesses etc).

It is this out-of-cycle update that is hitting Windows PC as I write.  iTWire STRONGLY recommends applying the update as soon as possible.

In addition, Firefox has also issued an update for the same reason; the in-built updater will download and apply the patch when next you use FireFox.