Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Diginotar declared bankrupt - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Diginotar declared bankrupt

In the latest installment of this seemingly never-ending saga, a Dutch court in Haarlem (NL) declared DigiNotar bankrupt.

Read more:

The CA business is all about selling trust. After all a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked. On the contrary: it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.

--
Swa Frantzen -- Section 66

Swa

760 Posts
I'm surprised they are bankrupt - but only because others in their situation haven't gone bankrupt. When Verisign gave out 2 certs for Microsoft to someone who walked in off the street in 2001, I figured Verisign would go out of business since all they were selling was trust, and they had a complete failure of their business. I thought - how could anyone every trust them again - they only do one thing and they've proven they can't do that right. Instead, they issused a quick "I'm sorry" and then went about business as usual. So I'm surprised that Diginotar is bankrupt because other CA's have totally screwed up and survived just fine.
Anonymous
So, what gives a good indicator that the parent company, VASCO can be trusted? Given my experience with the corporate world, what's happening at a subsidiary can often be a good indicator of the business practices of the parent. Justify us trusting the parent company on this one.
Anonymous
I'm pretty sure that if you were a car salesman in a similar situation (you can sell cars but those cars cannot be used on public roadways) you'd go bankrupt as well. No one will buy a certificate if the major OSes and browsers all do not recognize them as a trusted source.
Anonymous
Three words: Internet death penalty
Anonymous
This would appear to be an example the worst-case impact that we've avoided in our risk assessments, now realized: Your business will be critically (fatally) damaged due to insufficient security and a resultant breach.

What gets me is that for many years in the last decade, FUD was frowned upon. Now, thanks to polymorphic malware, advanced threats, and highly organized malefactors, FUD is what's being sold (and bought), even from many of the most credible sources in this field.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!