Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Thread beginning with comment 488633
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Can it really get worse?
by Lennie on Tue 6th Sep 2011 11:14 UTC in reply to "Can it really get worse?"
Member since:

If the Dutch government would get only a few things right, they would be doing things better than DigiNotar and would prevent many other attacks.

I think the Dutch government could have one team in one organisation that handle offline signing.

That means it is not in any way connected to the online world like DigiNotar.

They check a number of things (simplified):
- they receive a request by PGP-signed email

- check if they are on the contact-list and PGP checks out.

- look at the name of the request and see if it oesn't have * or other silly things like municipality X does not need to create a certificate for the website of municipality Y.

- call the people at the other end if they send the email

- check the numbers on the certificate request over the phone.

- create the certificate

- email it back, PGP signed.

Done, much more secure than what they had before.

Edited 2011-09-06 11:15 UTC

Reply Parent Score: 2