Issuer of rogue Google certs suspends SSL offerings

The company linked to the issuance of rogue Google certificates last July sought to downplay the incident this week, even as it voiced willingness to temporarily suspend the sale of its SSL and EVSSL certificate offerings. DigiNotar's parent firm VASCO Data Security International maintained DigiNotar acted in accordance with all relevant rules and procedures. "At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate," it said in a statement. But Vasco said it will take all possible precautions to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. "The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations," it said. It maintained the attack was targeted solely at DigiNotar's Certificate Authority infrastructure for issuing SSL and EVSSL certificates. Vasco insisted no other certificate types were issued or compromised. "DigiNotar stresses the fact that the vast majority of its business, including his Dutch government business (PKIOverheid) was completely unaffected by the attack," it said. Vasco also said DigiNotar expects to have a solution for its entire customer base before the end of this business week, and that the cost of this action "will be minimal." "The incident at DigiNotar has no consequences whatsoever for VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business," it added. Vasco also said it expects the impact of the breach of DigiNotar’s SSL and EVSSL business to be minimal. "Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000. VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans," it said. Earlier, the discovery of the rogue SSL certificates prompted browser makers Mozilla and Google to ready patches for their browsers. "(With the fraudulent SSL certificate), users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords," Mozilla said. Mozilla said the sites using a fraudulent certificate may also deceive users into downloading malware if they believe it is coming from a trusted site. It added it had received reports of these certificates being used "in the wild." For its part, Google indicated it may mark DigiNotar as untrusted in the next release of its Chrome browser. Issue 7795014 on the Chromium Code Reviews website aims to "Mark DigiNotar as untrusted." — TJD, GMA News