DigiNotar
DigiNotar B.V. was a Dutch certificate authority founded in 1998 as a notarial collaboration providing digital certificate services, including as a trusted service provider under the national PKIoverheid public key infrastructure for government entities.[1] Acquired by Vasco Data Security in January 2011, the company specialized in issuing SSL certificates and electronic signatures until a major security breach compromised its systems, leading to its bankruptcy declaration on September 20, 2011.[2][1] The intrusion, detected on July 19, 2011 but originating as early as June, allowed attackers to generate 531 rogue certificates for high-profile domains including google.com, *.google.com, and microsoft.com, facilitating man-in-the-middle attacks that undermined HTTPS security, particularly affecting users in Iran attempting secure connections to services like Gmail.[1][3] An independent investigation by Fox-IT, detailed in the Black Tulip report, exposed critical vulnerabilities such as outdated software, weak passwords, insufficient logging, and lack of intrusion detection, which not only destroyed DigiNotar's credibility but also prompted global revocation of its root certificates by major browsers and heightened scrutiny of certificate authority practices worldwide.[1]Company Background
Founding and Operations
DigiNotar B.V. was founded in 1998 in the Netherlands as a privately owned notarial collaboration, initially focused on digital notarization services that evolved into broader certificate authority operations.[4] The company provided digital certificate services as a trusted third party, issuing public key infrastructure (PKI) solutions to support secure electronic transactions and identities.[4][3] As a certification authority, DigiNotar issued various types of digital certificates, including SSL/TLS certificates for website authentication and qualified certificates for electronic signatures under European eIDAS-equivalent standards.[5] It held a prominent role in the Dutch PKIoverheid framework, supplying certificates for government e-services such as logius.nl and other public sector applications requiring high-assurance PKI.[6][7] Operations emphasized compliance with national and international standards for certificate issuance, including audits for trustworthiness, positioning DigiNotar as a key player in enabling secure digital government and commercial activities in the Netherlands.[8]Acquisition and Pre-Breach Status
DigiNotar B.V. was founded in 1998 as a privately owned notarial collaboration in the Netherlands, initially focused on providing digital certificate services as a trusted service provider (TSP).[1] The company specialized in issuing SSL certificates and digital signatures, with a primary customer base consisting of Dutch government institutions, citizens, and professional users for e-government applications and secure online services.[9] By the early 2010s, DigiNotar had established itself as a key player in the Dutch public sector's digital infrastructure, handling certificate issuance for official domains and maintaining qualifications under standards such as WebTrust for certification authorities.[10] On January 10, 2011, U.S.-based VASCO Data Security International, Inc., a provider of authentication and e-signature solutions, acquired DigiNotar through a stock and asset purchase agreement valued at €10 million in cash (approximately $12.9 million USD at the time).[11] The transaction targeted DigiNotar's intellectual property and operational assets to bolster VASCO's expansion into Internet trust services and public key infrastructure (PKI) markets.[12] Following the acquisition, DigiNotar operated as a subsidiary, continuing to issue certificates for high-profile Dutch governmental websites, such as those under the Logius.nl portal, with its root certificates embedded in trust stores of major browsers including Google Chrome and Mozilla Firefox.[13] Prior to the detection of the security intrusion on July 19, 2011, DigiNotar maintained routine operations without public indications of compromise, generating revenue primarily from public sector contracts and holding a position of trust in the Dutch digital ecosystem.[14] The company's infrastructure supported secure communications for national e-services, though internal security practices later revealed in investigations included shared administrative access across systems, which had persisted from its pre-acquisition configuration.[1] VASCO reported minimal initial revenue contribution from DigiNotar in the first half of 2011, reflecting its niche focus on government-oriented certification rather than broader commercial markets.[14]The 2011 Security Breach
Detection of the Intrusion
DigiNotar identified the intrusion on July 19, 2011, when internal monitoring revealed a mismatch between certificates generated by its hardware security modules and the corresponding entries in administrative logs.[5] This discrepancy indicated unauthorized access to the certificate authority infrastructure, though the company initially assessed the incident as limited and revoked only a subset of the affected certificates without broader disclosure.[6] Public detection of the breach's severity occurred later, on August 27, 2011, after an Iranian dissident using the pseudonym "alibo" reported inability to access Gmail due to browser warnings about a DigiNotar-signed certificate forgoogle.com.[15] The user's forum post, combined with screenshots of the anomalous certificate, alerted independent security researchers, who verified the forgery and traced it to DigiNotar's root certificate authority.[16] This external scrutiny exposed the scale of the compromise, including 531 fraudulent certificates issued for domains such as Google, Microsoft, and the CIA, primarily targeting Iranian users to enable man-in-the-middle attacks.[17]
Scope and Methods of the Hack
The intrusion into DigiNotar's systems encompassed multiple network segments, including the external DMZ-ext-net (10.10.20.0/24), the internal Secure-net (172.18.20.0/24), and various certificate authority (CA) servers such as Public-CA, Relation-CA, Qualified-CA, Root-CA, and others integrated within a single Windows domain. This allowed the attacker to access critical hardware security modules (HSMs) and issue 531 rogue certificates, with 446 from Public-CA and 85 from Relation-CA, targeting high-profile domains including *.google.com (26 certificates), *.yahoo.com, *.microsoft.com, *.skype.com, and *.torproject.org. The breach facilitated man-in-the-middle (MITM) attacks, primarily affecting approximately 300,000 users—95% from Iran—via DNS cache poisoning and interception of traffic to services like Gmail, as evidenced by over 300,000 OCSP requests traced to Iranian IP addresses.[1][18] The attack commenced on June 17, 2011, with the compromise of web servers in the DMZ-ext-net segment, such as Main-web and Docproof2, likely exploiting outdated software vulnerabilities including an unpatched DotNetNuke platform and weak remote desktop protocol (RDP) access. The intruder employed tunneling techniques over port 443 to evade detection and used compromised systems as stepping stones and proxies to mask origins, with IP traces linking activity to Iranian infrastructure. Malware deployments, including trojans like troj65.exe, njnypgqa.exe, and tools such as mimikatz.exe for credential dumping and Cain & Abel for password cracking, enabled escalation of privileges. By July 1, 2011, access extended to Secure-net, facilitated by inadequate firewall rules, poor network segmentation, and shared administrative credentials across the domain.[1][18] Certificate issuance was achieved through custom scripts executed on compromised CA servers, granting administrative rights to generate and sign fraudulent certificates without proper validation, bypassing HSM protections via weak smartcard controls and unpatched systems. The attacker exfiltrated data, such as database dumps (e.g., dbpub.zip totaling over 59 MB), and tampered with logs to conceal activities, with the first rogue certificate appearing on July 10, 2011, and the last on July 20, 2011. Signatures left in files, including "Janam Fadaye Rahbar" (a pro-Iranian phrase also seen in the prior Comodo breach), along with hardcoded Iranian IPs in upload scripts to external dropboxes, indicate the intruder's likely affiliation with Iranian state interests, though no direct attribution was conclusively proven in the forensic analysis. Activity ceased by July 24, 2011, undetected internally until July 19, 2011, due to absent intrusion detection and monitoring failures.[1][18]Fraudulent Certificate Issuance
Specific Certificates Compromised
During the intrusion, attackers issued 531 fraudulent certificates from DigiNotar's systems between July 10 and 20, 2011, primarily using the Public-CA and Relation-CA servers.[1] Of these, 344 certificates featured domain names as their common name, targeting high-profile websites and services, while 187 masqueraded as root certificates from other authorities, potentially enabling further forgery though lacking issuance constraints.[1] [19] The full extent may exceed identified instances, as DigiNotar lacked comprehensive logging of issuance requests.[1] Domain-specific certificates focused on popular platforms vulnerable to man-in-the-middle interception, with the wildcard certificate for *.google.com—issued 26 times—exploited to redirect Iranian users' Gmail traffic, affecting roughly 300,000 unique IP addresses, 99% from Iran.[1] [19] Other notable targets included communication and security services, reflecting likely state-sponsored motives aimed at surveillance.| Domain/Organization | Certificates Issued | Notes |
|---|---|---|
| *.google.com | 26 | Used in confirmed MITM attacks on Gmail.[1] |
| www.cia.gov | 25 | U.S. intelligence agency site.[1] |
| *.skype.com | 22 | VoIP service wildcard.[1] |
| login.yahoo.com | 19 | Email login portal.[1] |
| twitter.com | 18 | Social media platform.[1] |
| *.torproject.org | 14 | Anonymity network.[1] |
| www.facebook.com | 14 | Social network.[1] |
| www.mossad.gov.il | 5 | Israeli intelligence agency.[1] |
| *.microsoft.com | 3 | Software giant wildcard.[1] |
Exploitation and Real-World Impact
The fraudulent certificates issued during the DigiNotar compromise enabled man-in-the-middle (MITM) attacks, allowing attackers to impersonate trusted domains and intercept encrypted HTTPS traffic. A rogue certificate forgoogle.com, issued on July 10, 2011, was deployed to target Iranian users accessing Google services, decrypting and monitoring communications that users believed secure.[20][16] Attackers likely exploited DNS redirection alongside the certificate to route traffic through controlled servers, capturing data such as Gmail contents, search queries, and login credentials without users' awareness.[21][17]
This exploitation, suspected to involve actors linked to the Iranian government seeking to surveil dissidents and circumvent self-imposed internet restrictions, persisted until the certificate's revocation on August 29, 2011, following detection by an Iranian user on August 28.[22][23] At least a handful of confirmed victims experienced intercepted sessions, with broader potential exposure for thousands of Iranian Google users during the period, though exact figures remain unverified due to the covert nature of the attacks.[16][23] The operation demonstrated how compromised certificate authorities could facilitate state-level censorship and espionage, bypassing client-side warnings since browsers trusted DigiNotar as a root authority.[24]
Real-world consequences extended beyond direct victims, amplifying systemic vulnerabilities in the public key infrastructure (PKI). The incident invalidated over 500 DigiNotar-issued certificates, including those for Dutch government sites, disrupting secure access for public services and eroding reliance on centralized trust models.[3] It prompted immediate browser vendors, including Microsoft and Mozilla, to blacklist DigiNotar roots by September 2011, rendering legacy certificates useless and exposing users worldwide to potential service outages until reissuance.[25] Long-term, the breach catalyzed reforms like enhanced certificate transparency protocols, as it revealed how a single point of failure in CAs could undermine global web security, though no widespread non-Iranian exploitation was documented.[15][24]