Just incredible: They were hacked and they knew it, then forgot to clean up a certificate the hackers generated.
On July 19th 2011, DigiNotar detected an intrusion into
its Certificate Authority (CA) infrastructure, which
resulted in the fraudulent issuance of public key
certificate requests for a number of domains, including
Google.com.
Once it detected the intrusion, DigiNotar has acted in
accordance with all relevant rules and procedures.
At that time, an external security audit concluded that
all fraudulently issued certificates were revoked.
Recently, it was discovered that at least one fraudulent
certificate had not been revoked at the time. After
being notified by Dutch government organization Govcert,
DigiNotar took immediate action and revoked the
fraudulent certificate.
The attack was targeted solely at DigiNotar's Certificate
Authority infrastructure for issuing SSL and EVSSL
certificates. No other certificate types were issued or
compromised. DigiNotar stresses the fact that the vast
majority of its business, including his Dutch government
business (PKIOverheid) was completely unaffected by the
attack.
FF nightly builds also block the PKIOverheid CA which signs the certificates for key Dutch government websites and services (DigiD). Mozilla is going to have a fun time with Dutch users/Dutch Government/DigiNotar
http://www.vasco.com/company/press_room/news_archive/2011/ne...
Just incredible: They were hacked and they knew it, then forgot to clean up a certificate the hackers generated.
Maybe directly, certainly not indirectly.