A well known security firm warns that the number of compromised digital security certificates from DigiNotar, a Dutch certificate authority outfit owned by VASCO Data Security International, has doubled in size over the past week from 250 false SSL certificates to 531. False certificates have now been issued for Facebook, Google, Tor, Skype, Mossad, CIA, MI6, Twitter, and several other high profile sites.
"This is really bad news. As DigiNotar is a 'root' certificate, they can assign authority to intermediaries to sign and validate certificates on their behalf," security firm Sophos explains. "It appears the attackers signed 186 certificates that could have been intermediate certificates. These certificates masqueraded as well-known certificate authorities like Thawte, Verisign, Comodo, and Equifax."
According to Sophos, computers users of IE and Safari on Windows 7/Vista/2008/2008R2 and/or Chrome and Firefox on all platforms are immune from exploitation, so long as you're rocking a fully patched browser and OS. Things aren't as peachy for Apple users.
"Mac OS X users using the latest Chrome and Firefox (6.0.2) versions are fine, but Safari and OS X itself have not been patched," Sophos says. "There are instructions on doing so on the ps | Enable blog, although it is non-trivial."
Many security experts believe Iranian hackers are to blame, and at least one hopes this will serve as a wake-up call to the U.S. government.
"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for CIA.gov, I wonder if the US gov will pay attention to this mess," security and privacy researcher Christopher Soghoian tweeted over the weekend.
The big deal with stolen certificates is that they can be used in so-called "man-in-the-middle" attacks in which users think they're visiting a legitimate, secure site, but are really not.