DigiNotar Compromise: Webmaster Notification Crowdsourcing

A Dutch CA called DigiNotar has suffered a security breach. Mozilla is removing trust from their root certificate – we hope to release updates today. We have used the EFF SSL Observatory data to make a list of affected websites (those whose certificates chain up to the DigiNotar root[0]). We want to warn the webmasters of these sites that they need to get new certificates ASAP. And that’s where we use the power of the community :-)

If you can read Dutch, we would appreciate your help. There is a Google Docs spreadsheet with the list of affected sites and instructions on how to find the webmaster email or contact form and warn them, using a letter we have written. The more warning they get, the less disrupted the Dutch SSL internet will be. Please head over there and help out :-) Thanks!

(Short URL for this post)

[0] This is not the same as being issued by DigiNotar. Please do not contact sites not on our list.

10 thoughts on “DigiNotar Compromise: Webmaster Notification Crowdsourcing

  1. People seem to be adding sites that do not use the DigiNotar root. All government sites on the list use the Staat der Nederlanden root with DigiNotar as intermediary CA (PKI-Overheid). Be sure to double-check that before contacting them (unless PKI-Overheid will also be blocked).

  2. Rijk: that bug is not the official bug in which we are tracking this issue, and the patch tested and reported there was an earlier patch. The newer patch is more discerning.

  3. I’ve been doing some urls and I’ve noticed some “N/A”s are questionable. For example someone noted “not being able to find a ssl on that url”. Sometimes I’ve found that the ssl is only used a certain sub pages.

    I think it would be good to walk through these N/As once more.

  4. What is the exact root-ca string? The document states “DigiNotar root”, I found websites stating “DigiNotar B.V.”. Which is correct?

  5. Lode: Click the Site Identity button (to the left of the domain name in the URL bar), click More Information, click View Certificate and click “Details”. If it says DigiNotar anywhere, and the top entry is _not_ “Staat der Nederlanden”, then their cert will break.

  6. Set out the list to some networkers from the University of Utrecht and Eindhoven. Hope they will have a large(r) reach.