About 200 digital certificates, which are used to verify the legitimacy of websites, may have been compromised or fraudulently issued in a recent breach, according to new estimates.
A fraudster could use a bogus certificate to trick Web browsers into accepting a spoofed website as if it is legitimate. The fraudster would then be able to intercept sensitive data such as banking or email passwords. Web browser programs typically display a warning to users if they cannot verify that a site's certificate was properly issued.
The compromise took place in July at DigiNotar, a Dutch subsidiary of Vasco Data Security International Inc., Computerworld reported Wednesday. DigiNotar, which issues the certificates, said the number of fraudulently obtained certificates is in the dozens — but a security researcher and a bug-tracking database indicate the number might exceed 200, the article said.
DigiNotar initially said it revoked the certificates that were issued to fraudsters, but it overlooked at least one, which allowed fraudsters to impersonate Google Inc. services, the article said. Google said the certificate was used to target people in Iran.
Google's Chrome Web browser has a separate method for validating Google's digital certificates, providing further protection against bogus Google sites, according to an earlier article Computerworld ran.