DigiNotar certificate security issue

By Alastair on Aug. 30, 2011

We’ve been made aware of a security issue caused by the Netherlands-based CA DigiNotar, who mistakenly issued a valid SSL wildcard certificate for google.com. The existence of this certificate, coupled with the implied lack of proper verification at DigiNotar, means that we consider it inappropriate that our systems continue to trust DigiNotar to issue SSL certificates.

As a result, effective immediately, we have instructed our machines (including our servers) not to trust the DigitNotar root certificate. This should not have an impact on customers unless you are (or your mail server admin is) using DomainKeys (aka DKIM) to certify outbound e-mail and the certificate you are using was issued by DigiNotar; in that specific case, there is a slightly increased risk that your e-mail will land in our junk filter. The fix, should you be in this situation, is to use a certificate issued by someone other than DigiNotar.

Microsoft has already removed the DigiNotar root certificate from its list of trusted certificates, and Mozilla has indicated that the same will happen with Firefox. Users of Safari (and indeed Mac OS X in general) may wish to take the following steps to disable trust of the DigiNotar root CA:

  1. Start Keychain Access (you can do this from the Spotlight menu by entering “Keychain Access” in the search field, or by going to “/Applications/Utilities” in Finder).

  2. Enter “digino” in the search field at the top right.

    Keychain Access (before)

  3. Double-click the “DigiNotar Root CA” certificate.

  4. Open up the “Trust” settings.

  5. Change the “When using this certificate:” setting to “Never Trust”.

    DigiNotar Certificate

  6. Close the certificate window. You’ll be prompted for an admin username and password.

  7. Ensure that the DigiNotar Root CA now looks like this in Keychain Access:

    Keychain Access (after)

In particular, check that it says “This certificate is marked as not trusted for all users”.

Update (14:35 BST)

Owing to an apparent deficiency in the way Safari behaves with respect to root certificate trust (about which I’ve already filed a bug report), it may be better to simply delete the DigiNotar Root CA certificate altogether, since this will result in a more obvious response from Safari when visiting a site that depends on it.

To do that instead, select the DigiNotar Root CA certificate in Keychain Access, and choose “Delete” from the “Edit” menu.