DigiNotar, a wholly owned subsidiary of VASCO, experienced a security intrusion into its Certificate Authority infrastructure, which resulted in the issuance of fraudulent public key certificates for several domains.
The attack occurred on July 19 and targeted DigiNotar’s Certificate Authority SSL and EVSSL certificate issuing infrastructure. The attackers managed to issue public key certificate requests for Google.com and other sites.
Once it detected the attack, DigiNotar complied with the rules and procedures for this type of intrusion and revoked the fraudulent certificates. An external audit found that all fraudulent certificates had been discovered and rectified, though the Dutch government organization Govcert uncovered another fake certificate later. After being made aware of its existence, DigiNotar revoked that certificate as well.
In response to the attack, DigiNotar has suspended the sales of its SSL and EVSSL certificate offerings until further third-party security audits conclude that these products are safe from further attacks.
DigiNotar is also working on a solution for its current SSL and EVSSL customers.
Because DigiNotar’s SSL and EVSSL business is a relatively small part of its total revenue, VASCO expects this attack to have minimal impact on its business. For the first six months of 2011, the SSL and EVSSL business brought in less than 100,000 Euros in revenue.