A cracker claiming to be responsible for the attack on Dutch SSL certificate authority DigiNotar has revealed that he has gained illicit access to four other certificate authorities, following an earlier attack on Comodo.
The attacker, calling himself ComodoHacker, posted his claims to hacker hangout Pastebin in a message which claimed that the attack on DigiNotar that has seen its certificates removed from the trusted database in most major browsers is retaliation for the massacre of Muslims that took place in Srebrenica during the Bosnian War sixteen years ago.
"When Dutch government exchanged 8000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8000 Muslims in same day, Dutch government have to pay for it," the attacker's slightly stilted English explains. "Nothing is changed, just 16 years has been passed. Dutch government's 13 million dollars which paid for DigiNotar will have to go DIRECTLY into trash, it's what I can do from KMs away! It's enough for Dutch government for now to understand that 1 Muslim soldier worth 10000 Dutch government."
While highlighting the Dutch government out for retaliation, claiming that by issuing faked certificates for high-profile sites including the CIA's main site and Google.com would mean the "company will be closed," the attacker also revealed that he has gained access to at least four certificate authorities in addition to DigiNotar.
As the attacker's name suggests, the individual is also taking responsibility for an earlier attack on Comodo and its resellers and claims to still have access to the company's servers. In addition, the attacker named GlobalSign as another victim.
In reponse to the hacker's claims, GlobalSign has ceased the issue of certificates while it investigates its systems for possible intrusion. "GlobalSign takes this claim very seriously," a spokesperson explained, "and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all certificates until the investigation is complete."
Depending on whether the attacker counts Comodo among the four additionally targeted certificate authorities or not, that leaves two or three unnamed authorities which could be issuing invalid certificates for high-level domains under his orders. The following weeks are likely to be trying times for anyone working at a high-profile certificate authority.
The issuance of seemingly-valid certificates from a mainstream certificate authority under the control of a malicious attacker is also a problem for end users: browsers include a built-in list of trusted authorities, certificates issued via which are accepted without question. By targeting a valid certificate authority, the attacker can decrypt or spoof traffic via a man-in-the-middle attack without the user's knowledge.
While DigiNotar's certificates have been revoked by most major browser makers, users who fail to install updates or who use a mobile device such as a smartphone or tablet are still at risk - and as the number of affected certificate authorities increase, so does the risk level.