Previous month:
July 2011
Next month:
September 2011

August 2011

Stamping out the DigiNotar Certificate Threat

This article has been updated as new mitigation measures have been announced.

Computer World, F-Secure, and others have reported that attackers have obtained a digital certificate from DigiNotar, a Dutch certificate provider, for the domain Owning a certificate of this kind allows an attacker to impersonate servers or intercept traffic between users who trust the SSL certificate for a third level label such as "mail" or "doc" or "plus". In plain speak, an attacker can potentially capture (or alter) what you send, post or publish in Gmail, Google Docs or Google+.

Microsoft quickly issued an advisory and  removed the DigiNotar root certificate from the list of trusted root certificates on Windows Vista and above. They updated Advisory 2607712 on 6 September to render all DigiNotar certificates to be untrustworthy and to moved the certificates to the Untrusted Certificate Store. Mozilla has published removal instructions here. Google reports that Chrome was able to detect the fraudulent certificate.

Mac users must remove the root certificate from the OS X Keychain. The folks at Coriolus Systems have published an easy to follow set of instructions to use Keychain Access to mark the DigiNotar Root CA as not trusted for all users here.

Take a moment to mitigate this threat


On Friday 9 September, Apple issued Mac OS X Security Update 2011-005 (Article: HT4920). The Update removes DigiNotar from the list of trusted root certificates and from the list of Extended Validation (EV) certificate authorities. It also configures default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

Some folks question whether this is a case of using a hacksaw when a scalpel might be more appropriate.

There's little choice.

Previously, I wrote that until DigiNotar discloses the list of fraudulently issued domains, the prudent alternative is to treat any certificate issued by this root certificate authority as not trusted. It now appears that over 500 SSL certificates were fraudently issued, including intelligence agency domains and other high profile brands (Microsoft, Android, AOL and more). The Dutch government's CERT (GovCERT.NL) has denounced trust in DigiNotar certificates and has issued a Fact Sheet with additional details. Lastly, Fox IT has published an interesting interim report on the DigiNotar breach that is well worth reading.

What if everyone let his (or her) CISSP lapse?



Let me begin by saying that my tweet to @st0ckym4c wasn't intended to be a call to action. I'm not suggesting that anyone make this decision without carefully weighing the matter. But suppose a boycott of this kind were to materialize? What would we like to see emerge from the program's ashes?

Criticisms of the CISSP Program

First, let's set aside issues of cost-benefit and ethics of the certification program operators. These have been more than amply addressed by others. Rather, let's focus on some criticisms of the CISSP I  frequently hear or read (approximations, not actual quotes):

  • it doesn't measure necessary or practical skills
  • the people who are certified can't fill the security position I really need to fill
  • it's a tax I have to pay to compete in the job market
  • it's trivial to pass even for people who've never held a job in security

Areas for Improvement

If we accept these as general areas for improvement, what should a "more practical" security certification program measure?

1) Test critical and agile thinking. If we accept the generally held opinion that hackers are clever and quick to act, then it follows that measuring how likely a candidate will compete against such adversaries is valuable.

2) Test for for operational experience as a primary competency. Critics and advocates describe the CISSP as a program for security policy and decision makers. While the program does require experience in the field, one can get a CISSP without ever having held an operational role. We can't only train officers. We need superior ground forces (field experience) as well, and we need a way to distinguish these from raw recruits.

3) Test the ethic of candidate. Security practictioners ought to be able to demonstrate they can be held to standards of ethics. We need a basis to establish confidence not only in skills security practitioners possess but that they will apply them appropriately.

What I want from the CISSP or any certification program is that it challenge the candidate, cover relevant subject matter, and be hard to pass.

Course Correction

Perhaps what we need most in certification programs is a course correction. For OpSec purposes, we have other gauges for determining baseline competency than certifications (we used to call them "breaking in periods").

Certifying thousands of candidates with a baseline of competencies, while profitable, is like a traditional military recruiting program. You get a large number of serviceable ground troops. That's important and if this is your business, then be truthful about your focus when you promote your program.

However, if there is even a grain of truth that we are fighting elite hackers, then it's time to think about creating elites of our own. We lack a program that helps us identify the exceptional talent. Perhaps it's time to develop a security professional corollary to the US Navy Seal indoc program (in intensity, education, non-physical training and commitment). Only the best survive such a program.

Imagine what the survivors could contribute.