Microsoft, Google and Mozilla have revoked the Diginotar certificates from their lists of safe certificates for browsers and applications. Shortly after, the Dutch government decided that digital certificates from the Dutch Certification Service Provider
(CSP) DigiNotar could no longer be trusted. Rendering tens of thousands of digital certificates from the Dutch leading CSP worthless in a fortnight!
These quite feverish actions followed after they discovered that a false digital certificate from the Dutch Certification Service Provider (CSP) DigiNotar had been abused by the Iranian regime to redirect a filter through Iranian Gmail traffic. Also, there
was a fair chance that the extra secured Government Public Key Infrastructure had been compromised as well.
Iran is eavesdropping on their own people
Everything after the announcement that a security certificate for the domain Google.com had been counterfeited using the infrastructure of the Dutch Certification Service Provider (CSP) DigiNotar. Using this fake certificate, the Iranian authorities were able
to redirect all Gmail traffic to their own servers and filtering through the mail.
Whereas the end-users were under the impression that they were directly connected with Gmail, they in reality communicated with Gmail through the servers of the Iranian Government!
While the hack into the Diginotar systems had already taken place in mid-July, Diginotar neglected to report the incident. Only after a German sister company of DigiNotar (DigiNotar is owned by US based Vasco) noticed that strange things were going on,
the bubble burst.
This created an oil spill effect, leading to all parties revoking their trust in the Diginotar digital certificates, rendering over 60,000 digital certificates useless. This has an impact on e-invoicing too.
Multinational dimension: 4 other CSP’s under suspicion
A scary movie posted in pastebin (http://pastebin.com/1AxH30em) makes clear that this is no isolated event. The Iranian hack claims that it was also the mastermind behind the Comodo hack.
And this makes it even scarier: he claims to have hacked 4 other CSP’s to. One of these is GlobalSign that has already stated that is currently undergoing a rigorous analysis to see whether they have indeed been compromised.
Impact on e-invoicing
Digital certificates are used for a wide variety of purposes: signing applications, signing e-mail messages, securing websites and applications,
and of course electronic invoicing.
Revoking certificates by Microsoft, Google and Mozilla from their lists of safe certificates for browsers and applications has far-reaching consequences:
1. Digital signatures attached to (PDF) invoices created with faulty digital certificates are now no longer legally compliant, because of a lack of authenticity and integrity guarantees.
2. Visiting or signing in on an e-invoice portal that works with a revoked digital certificate is no longer possible or will be surrounded by all kinds of warnings by Internet Explorer, Chrome and Firefox.
In case of such warnings one should remember that the website concerned might no longer be trusted and therefore that it could very well not be the real destination (eg: redirection).
3. Users of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 will see an error message when surfing to invoice portals or online billing service providers that have implemented revoked certificates.
4. In some cases, sending e-invoices is no longer possible to (public) organisations that require a specific digital certificate.
Actions for e-invoicing providers and e-invoicing implementations
Organisations that offer e-invoice services, organisations that offer international authentication services and organisations that have implemented e-invoicing, have their work cut out:
- investigate whether they have implemented a certificate that is under suspicion (Comodo, DigiNotar and perhaps GlobalSign)
- If necessary: purchase, implement or use another certificate.
Hail hail e-invoicing liberalisation
The current situation shows the vulnerability of using a public key infrastructure for guaranteeing the authenticity and integrity of e-invoices.
When a regular CSP is compromised (not necessarily by a hack), it immediately makes tens of thousands of digital certificates worthless; affecting millions of electronic invoices. When this CSP is an international player, we are talking about a tenfold effect.
Europe’s near future for e-invoicing liberalisation makes e-invoices much less vulnerable to such precarious situations: after 1-1-2013 technical measures are no longer necessary for establishing integrity and authenticity.