Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Dutch government pleads for time to revoke compromised DigiNotar SSL certificates

Revoking security tokens could paralyse the Netherlands' online presence

Article comments

The Dutch government is trying to minimise the effect of the DigiNotar hack on its IT infrastructure but warned it's a time-consuming process. Not all the SSL certificates can be replaced on the fly.

Piet Hein Donner, minister of the interior, said this week that the government will work as quickly as possible to replace all the DigiNotar SSL certificates in use. However, if the certificates are withdrawn immediately it will be damaging, he warned.

"It particularly concerns the fully automated communication between computers," Donner said. If the certificates are withdrawn right now it would disturb or even block Machine-to-Machine (M2M) communication. That is why the Dutch government chose a "phased and controlled" migration to other certificates. While website certificates should be replaced by Saturday, he said, replacing those involved in M2M communication will take longer.

Fixes postponed

For the same reason, Microsoft agreed to postpone an automatic software update for the Netherlands that revokes the trust in all DigiNotar certificates for one week. Next week the software update will be rolled out in the Netherlands with an opt-out option.

Companies who want to implement the software update this week can choose to do that themselves. According to Donner, this ensures there is no significant disturbance in digital communications in the Netherlands.

On September 2, the Dutch government announced in a night time press conference, the first in Dutch IT history, that all DigiNotar certificates were to be banned and replaced. According to a report by the security firm Fox-IT published on Monday, 531 fraudulent certificates were issued after DigiNotar was hacked from an Iranian IP address in June. The firm also found proof that the "DigiNotar PKIoverheid CA" certificates the Dutch government uses were compromised. Fox-IT found no evidence that government certificates were misused.

Ronald Prins, CEO of Fox-IT, said on the Dutch television show "Nieuwsuur" that the real damage for Dutch citizens was limited, but that the implications could have been big. DigiNotar was used for DigiD, an identity management platform used by Dutch government agencies including the Tax and Customs Administration. Hackers could have monitored DigiD traffic and would even be able to manipulate tax filings if they wanted to.

The government replaced the DigiNotar DigiD certificates with PKIoverheid CA certificates from Getronics PinkRoccade, one of the seven (including DigiNotar) SSL certificate providers the government uses. Other problems occurred with the systems of the Rijksdienst voor het Wegverkeer (RDW), which handles vehicle registrations and inspections in the Netherlands.

The RDW switched to VeriSign certificates, but still has to use DigiNotar for M2M communication, spokesperson Sjoerd Weiland told Webwereld.

Uncertain deadline

According to Weiland it is impossible to say when the switch from DigiNotar to another CA can be done. Every business connected to the RDW, including the police and insurance companies, has to switch to new certificates at the same time to prevent the total collapse of all M2M communication. Local governments could have the same problem as the RDW. Minister Donner said there are "some disturbances" in communications between the RDW and local governments.

Dutch financial transactions, Amsterdam's Schiphol airport and the national railways were not affected.

"Although several sectors are meanwhile suffering from disruptions, major uncontrollable problems have not appeared to date," Minister Donner and Minister Ivo Opstelten of Public Safety and Justice stated. In total DigiNotar issued 57,956 certificates in different sectors in the Netherlands.

Because DigiNotar was hacked in June and the company knew about the hack shortly afterward but did not inform the Dutch government, the attorney general has begun an investigation to determine if DigiNotar can be held formally responsible for the ongoing crisis. Telecom watchdog OPTA is also investigating DigiNotar.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *