Heather Adkins, Google's Information Security Manager, reported that
Google received
[...] reports of attempted SSL man-in-the-middle (MITM)
attacks against Google users, whereby someone tried to get between
them and encrypted Google services. The people affected were
primarily located in Iran. The attacker used a fraudulent SSL
certificate issued by DigiNotar, a root certificate authority that
should not issue certificates for Google (and has since revoked
it). [...]
VASCO Data Security International Inc., owner of DigiNotar, issued a
press statement confirming this incident:
On July 19th 2011, DigiNotar detected an intrusion
into its Certificate Authority (CA) infrastructure, which resulted
in the fraudulent issuance of public key certificate requests for
a number of domains, including Google.com. [...] an external
security audit concluded that all fraudulently issued certificates
were
revoked. Recently, it was discovered that at least one fraudulent
certificate had not been revoked at the time. [...]
Mozilla, maintainer of the NSS package, from which FreeBSD derived
ca_root_nss, stated that they:
revoked our trust in the DigiNotar certificate authority from
all Mozilla software. This is not a temporary suspension, it is
a complete removal from our trusted root program. Complete
revocation of trust is a decision we treat with careful
consideration, and employ as a last resort.
Three central issues informed our decision:
- Failure to notify. [...]
- The scope of the breach remains unknown. [...]
- The attack is not theoretical.