Over that last couple of days, most (hopefully all) of the Web clients (browsers) are being updated to revoke the CA (Certificat Authority) for DigiNotar. It’s important that you perform this update.
The reason is simple. They were hacked last week, and several bogus CERTs (SSL private/public key generated certificates used in secure HTTP communications) were issued for some very high profile websites.
You can read the gory geeky details on a recent Slashdot thread [ HERE ]. Additional information about the CA revocation can be read [ HERE ].
If you hadn’t already manually deleted the CA from your mail and web browsing applications, be sure to apply this update. If you have not been automatically notified of an update (SeaMonkey, Firefox and Thunderbird have all updated in the last 72 hours) I recommend you head to the home website of your favorite browser and see if a security update is available.
Helpful Browser Download Links
Safari
Google Chrome
FireFox
SeaMonkey
Opera
Internet Explorer
If you are still reading, you must be asking yourself, “Why is this important?”. It’s quite simple really (and actually rather complex, but I’ll try not to baffle with technobabble).
Hopefully, any time you communicate with a website that uses any type of password, you are ensuring you are communicating using SSL (Secure Socket Layer), which applies a certain degree of security by encrypting your traffic. The mechanics of this required that the website you are communicating with has a valid SSL Certificate issues for, and properly installed on their website.
Now, anyone can create their own SSL certificate by running a couple of X509 / keygen commands, and with a few lines of coded added to their web-browser, get it installed. Sounds simple enough still, right? The problem with that is, unless there is a centralized repository of people trusted to make these certificates, *anyone* could create a certificate for say.. BankofAmerica.com install it on *their* webserver, and apply some other social engineering techniques to fool you into thinking you are securely communicating with the bank, when in fact you are sending your data to, or even through (also known as a Man-in-the-Middle attack) some third party. With a few other hacks, they might even take over full DNS control of the BankofAmerica.com domain (this happened to UPS.COM just this past weekend, in case you wonder how that can happen). Bottom line, you want to know for CERTAIN that the site you are communicating with has a good, valid CERT issued by a reputable CERT issuing authority, not just some no-name criminal somewhere in Eastern Europe.
This trust is based on vetted, trusted, Certificate Authorities. If you want to look at he list of these trusted CA’s on your browser, it’s going to look at little mind boggling. Anyone on that list that issues a CERT for a website is automatically trusted by your software (and everyone else’s software too, unless you manually remove / revoke CA’s yourself, like I’ve done), so if anyone in that list has a compromised SSL signing system, then any CERT generated by that authority can no longer be trusted. This is the case with DigiNotar.
People far better at writing than I explain this further here: DigiNotar certificate authority breach: Why it matters [ link ]. I recommend you read it and learn a little something about how the web really works. I also suggest that if you are in business and depend on your website, you get some PROTECTION for your DNS with a product like this!: ActiveTrust DNS