How do we block this one
How can we block all certificates that stem from any so-called certificate authority that is owned by the same parent company?
Sloppiness with certificates must be punished severely.
Did you bother to read the article, or did you just respond based on the headline? So far, there isn't any evidence of sloppiness with certificates. A publicly accessible web server was hacked, and, as a precaution, they've taken all of their websites offline.
If you punish companies for being open about the fact that they're investigating to see if there really has been a breach, then you'll be encouraging them to act like Diginotar, and keep things under wraps as long as possible!
Have a look at the draft RFC for Domain Authenticated Named Entities, this creates a new Transport Layer Security Association which could be used to eliminate CAs completely. This does require the use of DNSSEC to digitally sign the certificates used for web sites.
However, using a hosted DNS service with website which is poorly maintained could lead to your DNS records being compromised even if they are signed using DNSSEC.
DANE/DNSSEC better, but far from perfect
DANE relies upon DNSSEC to carry signatures to authenticate entities identifiable through a domain name. Security will still depend on the integrity of purpose and procedures of domain registries and TLDs, which will effectively become the new breed of CA. A corrupt or insecure registrar capable of issuing .com names will still be able to compromise any .com site, but under DNSSEC they won't be able to compromise domain names not ending in .com . That makes it better than the current CA system, but still has major issues, e.g. someone who doesn't spot that they are connecting to microsfot.com instead of microsoft.com will still be vulnerable, assuming the typosquatter is allowed to register such a name.
What is up with Firefox?
Every time I get an update of Firefox, good old DigiNotar is back in the trusted authorities list. I thought this was an authority that was eliminated.
@Wile E. Veteran: check bugzilla
The first on the list might be helpful <https://bugzilla.mozilla.org/show_bug.cgi?id=699759>, they talk about it being a debian issue, and rather interestingly as well
"Instead of simply removing DigiNotar, we have added special DigiNotar replacement certificates, that have the effect of explicitly distrusting the old DigiNotar certificates."
Having looked at mine, this seems to be what they show. Looks like you may be good after all.
If penetrating a web site implies penetrating the trusted certification setup, then something is wrong. You wouldn't surely run the public-facing web server on the same iron as the authentication service? or, indeed, have any connection whatsoever?
How many to go?
Short of really, really good investigators and a firing squad, what can we do?
Small companies should roll their own...
I represent a small company and one of the stuff I do for customers is hosting. All my servers use the Webmin control panel which I've become extremely fond of:
Opensource, free of use, supports quite a share of environments and its very versatile. The best part is that it can grok manual set configuration schemes (to a certain extend) and fully support those. Wonderful stuff.
Naturally, because this is private traffic, all of my servers utilize encrypted connections (for webmin (control panel), usermin (webmail) as well as horde (idem)). I also like to sign some of my Word documents (not so much for privacy concerns but more to prevent (accidental) changes) as well as some VBA macro's (same reason).
Not only would such an environment be very costly (especially for a low/mid ranged firm) but one can also wonder what the added value is to get an 'official' certificate when all you're after is encryption.
SO my company simply uses a self-signed company certificate (long live openssl!) which is used to sign several of the certificates I mention above. New customers get a welcome letter as well as a copy of said root certificate with the request to install this on their main computer.
Naturally also explaining why we're doing this and carefully explaining that this isn't a requirement but it will make accessing our services a little more pleasant. Most of my customers are fully understanding and think its a very good setup. After all; all they need to do in Windows is click on the certificate and follow the things Windows is telling them.
And because the machine which issues said certificate isn't connected to the Internet in any way the chances of it getting overrun are slim. Heck; there isn't even much reason to try and overrun it because the only people using said certificate are our customers and support staff. Not a large crowd so to say...
Cheaper, (IMO:) more secure, easier for the customers and most of all: you achieve the same results which are very likely more reliable as well.