Dutch government root certificate banned in Chrome, Firefox and IE

Derek Mead

It looks like DigiNotar is on the brink of death. The Dutch government has taken control of the web security company after Google, Microsoft and Mozilla have all taken various steps to completely eliminate all security certificates signed by DigiNotar. This comes after it was discovered DigiNotar unwittingly issued hundreds of rogue certificates following a targeted security breach at the company. It continues an alarming trend of security companies getting hacked that’s enough to make some wonder if security certificates aren’t simply useless.

After news of the breach at DigiNotar burst into the public spotlight, Google, Microsoft and Mozilla all made moves to blacklist the company. With the certificate authority compromised, the three browser producers completed removed all DigiNotar root certificates from their products. It was a move that the Inquirer called ”unprecedented.”

However, the trio of vendors didn’t worry about DigiNotar PKIoverheid, a subsidiary of the certificate authority that specifically signs certificates for the Dutch government. None of the three blocked PKIoverheid’s root certificates because the company used an independent certificate issuing process that wasn’t believed to have been affected by the DigiNotar breach. But when the Dutch government reassessed the situation, it found the PKIoverheid certificates had been compromised as well.

Google reacted first, blocking the PKIoverheid certificates as well with a Chrome update. The company additionally discovered attempted man-in-the-middle attacks on Google users. Mozilla and Microsoft followed suit quickly, with the certificates now blocked in Firefox and Internet Explorer.

While the certificates are now blacklisted along with myriad others, users can usually choose to risk bypassing the bans on any browser. Interestingly, Microsoft felt the breach was enough of a risk that there is no override in Internet Explorer to continue using the DigiNotar certificates. Instead, they are fully, completely inaccessible.

With the government’s brand of security certificates completely blocked, some sites in the Netherlands have been rendered inaccessible. While the Dutch government has taken a brunt of the hit, it has reportedly taken over DigiNotar’s operations in an effort to get things running again. In the meantime, it looks like PKIoverheid is completely sunk, and barring a massive comeback, DigiNotar can’t be far behind. It’s concrete proof that these days the security business isn’t living up to its name.