DigiNotar Damage Disclosure

About an hour ago I was contacted by the Dutch Government with more details about the DigiNotar Debacle. It seems that they're doing a great job keeping on top of things and doing the job that DigiNotar should've done in July. They sent a spreadsheet with a list of 531 entries on the currently known bad DigiNotar related certificates.

The list isn't pretty and I've decided that in the interest of defenders everywhere without special connections, I'm going to disclose it. The people that I have spoken with in the Dutch Government agree with this course of action.

This disclosure will absolutely not help any attacker as it does not contain the raw certificates; it is merely metadata about the certificates that were issued. It includes who we should not trust in the future going forward and it shows what is missing at the moment. This is an incomplete list because DigiNotar's audit trail is incomplete.

This is the list of CA roots that should probably never be trusted again:

DigiNotar Cyber CA
DigiNotar Extended Validation CA
DigiNotar Public CA 2025
DigiNotar Public CA - G2
Koninklijke Notariele Beroepsorganisatie CA
Stichting TTP Infos CA

The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison. The attackers also issued certificates in the names of other certificate authorities such as "VeriSign Root CA" and "Thawte Root CA" as we witnessed with ComodoGate, although we cannot determine whether they succeeded in creating any intermediate CA certs. That's really saying something about the amount of damage a single compromised CA might inflict with poor security practices and regular internet luck.

Of particular note is this certificate:
CN=*.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare Toro Ham Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR

The text here appears to be be an entry like any other but it is infact a calling card from a Farsi speaker. RamzShekaneBozorg.com is not a valid domain as of this writing.

Thanks to an anonymous Farsi speaker, I now understand that the above certificate is actually a comment to anyone who bothers to read between the lines:
"RamzShekaneBozorg" is "great cracker"
"Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption"
"Sare Toro Ham Mishkanam" translates to "i hate/break your head"

Without any further delay, I've uploaded the original spreadsheet and a CSV text file for people who don't trust spreadsheets. The information contained in both files should be the same. Hopefully this information will help people to mitigate certain harm from the DigiNotar Debacle.

AttachmentSize
rogue-certs-2011-09-04.xlsx106.41 KB

http://pastebin.com/qrbH3ezi

We've seen the phrase "Janam Fadaye Rahbar" before -- back during Comodogate, the purported hacker explained it on pastebin as translating to "I will sacrifice my life for my leader."

Did you get the expiration dates?

Nope. I've published everything and it does not appear that they included expiration dates.

Ok, first question: who TF are you?

Second question, what should a simple computer user like me do with the 6 CA roots you mentioned. I opened the Keychain Access program on my Mac and there is only a DigiNotar Root CA, none of the ones you listed here.

Thanks for clarifying!

Anonymous and other MAC users,

It appears there is a bug in the Apple Mac OS in that disabaling a root cert does not deiable any EV certs issued under it...

So take care and actually examine all EV certs you get to see.

Regards,

Clive Robinson.

Stupid Ferrari jobs? Israeli Lizard?

"2011-07-10 21:36:31","9d69f4c1849361c63933f08de899b145","DigiNotar Extended Validation CA","unknown","unknown","*.azadegi.com","CN=twitter.com,SN=PK000229200018,OU=DN: CN=*.azadegi.com,TITLE=Shoghale Ahmagh Farari,SN=PK000229200017,OU=Israeli Lizard,L=Mazar sharif,O=Sage Pasokhteye Mozdur,C=IL,L=Mazar sharif,O=Sage Pasokhteye Mozdur,C=IL"

Cheers

"Anonymous said: ... who TF are you?" Lol.

Odd that SN is the abbreviated form of the 'surname' attribute (rather than serial number). has DigiNotar being abusing it, or is it more evidence of their failings?

Sahebeh Donya => Possessor of the World e.g. God.
Sarbazeh Gomnam => Unknown Soldier
Elme Bikaran => Science/Knowledge of the idle/unemployed
Daneshmande Bi nazir => Peerless Scientist
RamzShekaneBozorg => Great Cryptanalyst
Toro Ham Mishkanam => I will breakTOR too
Hameye Ramzaro Mishkanam => Will break all cyphers

Sahebeh Donya => Possessor of the World e.g. God.
Sarbazeh Gomnam => Unknown Soldier
Elme Bikaran => Science/Knowledge of the idle/unemployed
Daneshmande Bi nazir => Peerless Scientist
RamzShekaneBozorg => Great Cryptanalyst
Toro Ham Mishkanam => I will breakTOR too
Hameye Ramzaro Mishkanam => Will break all cyphers

سلام این سایت ادعا کرده که پرتوکول اساس ال تو نیز هک شده است ایا شما تایید میکنید؟
– در خلال جولای 2011 چند ده گواهینامه جعلی دیگر توسط سارقین جمهوری اسلامی ایران صادر می شود. این گواهینامه ها شامل افزونه های موزیلا، پروژه Tor، یاهو و ورد پرس هستند.
4- 18 جولای 2011، 6 گواهینامه جعلی برای پروژه Tor صادر می شوند.
5 – 19 جولای 2011 Diginotar بالاخره متوجه می شود و شماری از این گواهینامه ها را ظاهرا ابطال می کند، شمار بسیار زیادی از گواهینامه های جعلی همچنان در دست سارقین باقی است.
6 - ساعت 06:56 – 20 جولای 2011، برای بار دوم شش گواهینامه جعلی دیگر برای پروژه Tor مورد استفاده قرار می گیرد.
This site also claimed that I hacked my ssl is based Prtvkvl you're OK?
During July 2011 a few dozen other fake certificates are issued by looters Iran. These certificates include extensions, Mozilla project, Tor, Yahoo and WordPress are.
4-18 July 2011, 6, fake certificates are issued for the Tor Project.

6 - 06:56 - 20 July 2011, for the second time in six fake certificates are used for the Tor Project.

What I dont quite get is how somebody could use these certs. If i'm going to anything *.google.com than I see a Google cert. If I go to iam.ahacker.com and it shows up ask me if i want to trust the cert for the url *.google.com even tho It's mismatched than I know something is up. Aside from a modified host file, how would anybody be able to actually do any damage to somebody? Or is that the whole point... that people can get really screwed with a modified host file? Just a junior nerd who is trying to make sense of this.

In country like IRAN the gov controls DNS, so without DNSSEC they decide what's the IP for google.com. Even with DNSSEC or knowing the IP is the ISP that decides what to deliver to you. That's it, without ssl and good CA the bad governments can control all the Internet. See also WiFi cracking and MITM attacks, btw

If someone upstream of you (anyone who controls one of the computers routing the connection between you and Google) gets hold of a *.google.com certificate, they can pretend to be Google to you (or even pass your traffic through to the real Google while eavesdropping on the connection). That's the big worry with these things -- that an ISP or government either intentionally meddles with people's connections or is hacked by someone else to do so.

dns poisoning

Not DNS poisoning per se (although it can be used to route you through to a transparant proxy). Mostly in the less open countries they routinely proxy Internet traffic anyhow so it is not needed.

For anyone that is interested:

Man in the middle attacks allow the traffic through to the real host by proxying the ssl negotiation in the middle. The bad guys have the phoney cert, someone builds an SSL connection to you that is false. The bad guy then build a real connection (using the real cert) to google.com. In the middle, the traffic is now not encrypted and you can eavesdrop on the persons communications without them knowing that it is occuring because, your computer 'trusts' the phony certificate.

If a government could convince an ISP to insert specific DNS records into their service, thereby redirecting anyone who tried to visit those sites, with a compromised certificate situation like the one we're facing, you'd never know. They could intercept your traffic, making note of your username and password (since you're talking to their servers instead of the real ones) and then forward all of your requests back to you, without you ever knowing. Your computer would trust the certificate that the government's servers gave you because they in turn were issued by a CA that our computers trusted.

Bullshit!

Your browser keeps a list of root certifiction authorities (CA) it will trust. So you DO need both: Reedirection to your server AND a certificate that is trusted by a root CA..

That's what he said

Right. And DigiNotar is one of those trusted root CAs, which is why these rogue certs can be maliciously used by the Iranian government.

The point is that if someone uses one of these DigiNotar-signed certificates and you haven't removed the root from your browser, you won't get a mismatched certificate warning - it'll just work, with no errors, showing it as a valid cert for the site.

I have translated a few expressions again:

"2011-07-10 22:05:19","6682ef6ae92d5f8e19e323bdcef6d4f7","DigiNotar Extended Validation CA","unknown","unknown","*.SahebeDonyayeDigital.com","CN=*.SahebeDonyayeDigital.com,SN=PK000229200006592,OU=Elme Bikaran,L=Tehran,O=Daneshmande Bi nazir,C=IR"

Sahebe Donyaye Digital: Owner of Digital Word (Saheb means owner)
Elme Bikaran: Infinite Science
Daneshmande Bi nazir: Unique Scientist

"2011-07-10 22:08:31","585a8ee9017a326d21bd19dce9d9777d","DigiNotar Extended Validation CA","unknown","unknown","*.RamzShekaneBozorg.com","CN=*.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare Toro Ham Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR"

see https://blog.torproject.org/blog/diginotar-damage-disclosure for translation

"2011-07-10 22:11:59","aa239bf9fe84b25444be0799f40c9f67","DigiNotar Extended Validation CA","unknown","unknown","*.JanamFadayeRahbar.com","CN=*.JanamFadayeRahbar.com,SN=PK000229200006594,OU=Sarbaze Gomnam,L=Tehran,O=Ke Jano Janan Toyi,C=IR"

Janam Fadaye Rahbar: I sacrifice my life leader.
Sarbaze Gomnam: Sarbaze anonymous/unknown (Sarbaze means soldier in Persian; Gomnam means anonymous = anonymous soldier)
Ke Jano Janan Toyi: The inner Jano Janan ("Ke Jano Janan Toyi"= "because you are the soul of souls" this is mystical language used in fascist context; the speaker is talking to a great fascist leader)

I've just marked every root certificate in my system as "don't trust". There were 183 of them. 40% didn't have correct or complete metadata. 30% used MD2 or MD5 hashing. 60% expire more than 10 years from now. 20% were from risky governments (not counting the US which had several different roots) or organizations whose official business name includes a TLD, and one, amusingly enough, had a name that outright implied being able to pay them off.

I'll independently verify any certificate I need to use, and trust them at the leaf level (vs. trusting roots or intermediaries). A tiny bit of inconvenience to prevent:

  • Compromised roots from generating certificates I won't notice.
  • MITM live certificate replacement (MD2/MD5 is easy to get collisions on for this purpose).
  • Malicious governments and corporations from eavesdropping. (Okay, that's a little tin-foil-hat, but still.)

Ask yourself not "why shouldn't I trust these certs?" ask instead, "what reason do I have to trust these certs in the first place?"

I assume you have great tinfoil-hatmaking skills.

But how will you know you're communicating with the correct site the first time when you will choose to trust the certificate......

The only way is to trust you DNS provider, which, in a sense, only shifts the problem...

Not actually as bad an idea as it looks, providing they can verify that the cert is signed by who it says it is, this means that the user is trusting the leaf only, with all the same trust chain as before, just with a default deny instead of a default allow policy. All in all not so tinfoil, since we know that a lot of registrars have acted badly, and they have a perverse incentive to issue whatever they are asked for, this is probably just a sane response.

p.s. How many of you have revoked CNNIC lately? ;)

The hash used for the signature on the root cert is pretty meaningless. Those certificates are trusted because they're embedded in the browser, not because their self-signature checks out and can't be forged.

Weak hashes are definitely a problem for every other certificate, just not for roots.

What is right? what is wrong? r new downloads better or old? User from Iran.

For the "man in the street" (in democratic countries) they will trust what they are told to trust (via the media).

Look at the way Diginotar and Vasco try to minimalise things (even in their latest communications), and the government is only communicating passively via websites when they should broadcast on radio and TV and tell everyone how risky this is !!! There is a built in mechanism into browsers to automatically trust sites and when it is discovered this trust isn't valid anymore we try to keep it hidden as much as possible. This is CRIMINAL and any damage arising after today could probably be claimed at the companies and government for not issueing strong warnings to the public !

Investigative report on diginotar debacle http://www.rijksoverheid.nl/onderwerpen/cybercrime/documenten-en-publicaties/rapporten/2011/09/05/fox-it-operation-black-tulip.html (Dutch government site)

hello,
i downloaded tor --- tor-browser-1.3.24_en-US --- in july 13 from Iran, and now I want to know how I can find that if it has been an original version or a hacked one bye Iran governments?

Unrelated to the blog post, but anyway. Check the digital certificate with the file. And make sure it is signed by not-yet-known-to-have-been-hacked CA (i.e Commodo, DigiNotar).

Unfortunately there is no perfect way to tell. That is quite an old version of the Tor browser bundle and so I cannot find the signature for the download anywhere on the torproject site. The current version of the browser bundle is 2.2.32-3 . The signature for this version follows. There really is nothing stopping the government from replacing the files including the signature, and the one I posted here. So if you really want to be safe the only way is to compile from source and look for suspicious code yourself.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAABAgAGBQJOZEDSAAoJEEFvBhBj/uZZX/IIAMg30VXYk2JRXDVG9s9u45bd
b7dygbNdxVRCXXn7QtQy0SgdxLpGGmttdBOrTvAmRwcHxL0+WsyRX/NA9O30eO+V
EQKd2YDs7zIE6ooJKwopuJe744JtsMS/rVibqKmaD23XT5MdGs2QdU43SzV0RBaD
PJNGnMbhYZ0fKKbUg73dj59uUG7dpriKFpSdtMYxqA4Rh+OaolE8O+FFtSL8rcjr
Dvag3m7fsZbQvJOKDLSauMnDQCmX8+Fy6znI7s892erAqlx1UKWdy2ytSJwtGb5F
6RY5JwpzgqP9XEjsQhCZ/bUcPIhbiIVcqD41tR1RR9/j4x+fXwWyzccbI9Vu2B8=
=hjvZ
-----END PGP SIGNATURE-----

Whenever I open Gmail using the Opera browser, it says the connection is not secure and something is wrong with it (at least for more than a year). It refuses to show the "secure connection" mark. It says "The connection is not secure... The server attempted to apply security measures but failed."

Using Firefox (by checking the SSL certificate) I see it is running by "Unknown" and verified by "Thawte Consulting LTD". But in the Excel file provided by DigiNotar, I saw the certificates for Thawte are too faked. Can anybody here tell me whether this Thawte is a fake CA or not?

Can anybody tell me is Opera safer than Chrome? Opera too reported some errors with these fake CAs, even before Chrome. But no one suggests Opera.

Hi
Recently,I have recived a new version package of Tor Browser via Email (gettor@torproject.org) ,I want to know if it is true and can I trust it?

Does the Tor Project send the TBB via email?

From that address?

Yes. See https://www.torproject.org/docs/faq#GetTor

As for how to verify it, the best way is to check the GPG signature that we mail along with TBB. See https://www.torproject.org/docs/verifying-signatures.html.en

But that process is really hard for Windows users, so we're working on instructions that are easier (though probably not as thorough).

Hi Ho

Why there is someone want to have certificate? Maybe all THEY want is to sniff or eve drops on TOR or relates *.0rg and *.c0m.

Maybe to find Who Is Who by scanning all new TOR user?

I really really afraid if my TOR is snnniffeeed by some-GROUP-for-RELIGIOIN-war??

maybe after all?? fantasy rules..

Ok, first question: who TF are you?

they looked some who is ali sina? this is islamic hackers.

Ok, second question: who TF are you?

OK, I hope one of you will take pity on a novice and try to put this topic into a simpler context. I've been trying to force my decidedly middle aged brain into learning more about computer security. A couple of days ago I stumbled upon the CA's in my Firefox settings. I would have likely skipped right on by, but the 1st one was in Turkish which seemed rather bizarre. In a prior life I was a Turkish linguist that's why I noticed. I then ended up researching Ca's till I hit this article.

Can you tell me what this means/suggests/implies/compels me to do? I currently live in Asia, use a Mac, and have a family that does lots of emailing, shopping on Amazon and ebay, etc. Should the CA's mentioned be revoked? Further researched, etc.

And while I mooching your expertise another favor? I'm trying to decide which Tor/add-ons/competitors I should run. I need to balance more privacy with the acceptance that I'm no skilled computer type. I'm trying to get better, but who knows.

Anyway, thanks in advance!

salam,agar kasi hast k betone javabe mano bede lotsan saritar javab bede,man chetori bayad narmafzare toro dashte basham va azash estefade konam??

az ghesmate download download kon!

hi all,unfortunately I cant open any youtube clips! because I have to install mozilla browser and after that when i download adobe flash player i get a fail message.is tore works only by Mozilla?i have internet explorer too and i want to surf with that!
plese help me!

bebakhshidkasi hast bege cetori mishe ba tor kar kard? man downlodesh kardam nemidona chetori bahash kr konam!

Do you have problem with flash installing ,my TOR does not install flash! how can I use media player or other medias?

http://www.youtube.com/watch?v=Z7Wl2FW2TcA&t=5m16s

Syndicate content Syndicate content