The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.
The confirmed count of fraudulently issued SSL certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates.
[ Microsoft says stolen SSL certs can't be used to install malware via Windows Update. | Also on InfoWorld: Nearly 300,000 Iranian IP addresses likely compromised. | Get all the details you need on deploying and using Windows 7 in the InfoWorld editors' 21-page Windows 7 Deep Dive PDF special report. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]
Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter, and Microsoft's Windows Update service.
"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for CIA.gov, I wonder if the US gov will pay attention to this mess," Christopher Soghoian, a Washington D.C.-based researcher noted for his work on online privacy, said in a tweet Saturday.
Soghoian was referring to assumptions by many experts that Iranian hackers, perhaps supported by that country's government, were behind the attack. Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.
All the certificates were issued by DigiNotar, a Dutch issuing firm that last week admitted its network had been hacked in July.
The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.
Criminals or governments could use the stolen certificates to conduct "man in the middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.
Google and Mozilla said this weekend that they would permanently block all the digital certificates issued by DigiNotar, including those exercised by the Dutch government.
Their decisions come less than a week after Google, Mozilla, and Microsoft all revoked more than 200 SSL (secure socket layer) certificates for use in their browsers, but left untouched hundreds more, many of which were used by the Dutch government to secure its websites.