First, some background for those of you who might be unaware of how vital these digital certificates are to the use of the internet. A digital certificate, also called an identity certificate or a public key certificate, is an electronic document that provides a digital signature by which a public key is bound to a specific identity. Secure and accurate knowledge of an identity on the Internet is vital to secure transactions.
A Certificate Authority is the entity that attests to the accuracy of the digital certificates they issue. Hacks against these certificate authorities over the past few months has rendered some digital certificates useless as secure identification schemes.
DigiNotar, a Dutch Certificate Authority, has recently admitted that they had understated the scope and severity of the hacking which hit them last month. The Dutch government uses some DigiNotar certificates for transactions for university enrollment and tax filing, among other functions, and has banned use of DigiNotar certificates throughout the government's Web sites. Citing problems that may arise with existing transactions, a phased migration to replace digital certificates has begun. Though the Dutch government has not told the public to avoid using the web sites, both courts and lawyers in the Netherlands have advised that any government transactions normally done over the Internet should be done instead by fax or regular mail.
Microsoft and Google have already implemented a ban of the use of DigiNotar certificates within their respective browsers as indicators of secure web sites; Mozilla has given DigiNotar a deadline of September 15th to improve the situation. Last week, a hacker identifying himself as "Ich Sun" claimed responsibility not only for the DigiNotar attack, but also for earlier attacks on Komodo, an American Internet security company, on StartCom, an Israeli Certificate Authority, and on GlobalSign, a Japanese-owned Certificate Authority.
In response, GlobalSign stopped issuing digital certificates last Tuesday and invited an audit firm to examine its systems for any evidence of hacking. However, on Monday, September 12th, GlobalSign announced that the only evidence discovered within their systems was an access breach of an isolated web server and that they will resume issuing certificates on Tuesday.
The hacker in his announcement, however, had promised at least three more hacking efforts will be done in the new future, implying that more digital certificates may soon be at risk. Web hosting providers and any other company depending on the Internet for business needs should stay aware of the latest developments in this situation.
