VASCO Data Security International owned and ran DigiNotar for months. This is a Dutch certificate authority which has been faced with a lot of hacking issues in recent times. This week, tons of information with regards to the security breach at DigiNotar were made public and here, we have a concise overview of the issues so far and its implications on Qt users

The series of events so far

  • July 19th: This was when the breach was first noticed by the company. Its infrastructure has been compromised and numerous pseudo certificates were issued out including one that gives access to pose as Gmail. It was signed with one of DigiNotar’s authentic intermediate certificates but it wasn’t signed by the company.
  • August 28th: Google Chrome alerted an Iranian Internet user that the certificate proffered by Gmail was not trusted. Google Chrome did not raise this alarm because it knew the certificate was a fraud (actually the certificate was authentic be the hackers broke into DigiNotar and issue legitimate certificates). However, Chrome supports “certificate pinning” feature thus for domains like mail.google.com, the browser has a concise list of in-built root CA certificates and when it did not recognize the DigiNotar root certificate that signed in, it raised the alert.
  • August 29th: After a month of usage of this fraudulent certificate, DigiNotar revoked the .google.com certificate. Subsequently, the browser vendors including Internet Explorer, Firefox, and Google Chrome agreed to blacklist the entire DigiNotar root certificate so as not to fall prey to any fraudulent certificate.
  • Subsequently: Other vendors like Linux distributions pulled out DigiNotar root certificate from its stores while Microsoft, Debian, Suse, and Ubuntu were planning to do so.
  • September 3: After the breach was clear, the Dutch government took over operational management of DigiNotar’s systems. 

The Implication for Qt users

At the time of this report, Qt has blacklisted the fake *.google.com certificate for its 4.7 and upcoming versions such as 4.8 and 5.0. Nevertheless, there are probably tons of fake certs out there because about 247 certificates have been blacklisted by Google Chrome.  The issue even looks more dangerous because there is no detailed list of issued certificates as of now.

For Qt version 4.7.0 users

The reading of rood certificates from the system has commenced thus this Qt version would not trust any certificate issued by DigiNotar.

For Qt version 4.6 users

Qt version 4.6 does not contain any DigiNotar certificate thus users need not be worried as they are completely safe.

What remains to be seen

The question now is “will the removal of the affected DigiNotar root certificate solve the problem”?. This is a million dollar question because DigiNotar has some “cross-signed” certificates i.e. intermediate certificates which are owned by DigiNotar but signed by another Certificate Authority. The removal of DigiNotar root certificate from the root store does not affect these certificates and since there is no detailed compilation of issued certificates, we do not know the implication of this situation. We have to keep our fingers crossed as it remains to be seen if the DigiNotar root certificate was enough to curtail the entire situation.