A well known security firm warns that the number of compromised digital security certificates from DigiNotar, a Dutch certificate authority outfit owned by VASCO Data Security International, has doubled in size over the past week from 250 false SSL certificates to 531. False certificates have now been issued for Facebook, Google, Tor, Skype, Mossad, CIA, MI6, Twitter, and several other high profile sites.
“This is really bad news. As DigiNotar is a ‘root’ certificate, they can assign authority to intermediaries to sign and validate certificates on their behalf,” security firm Sophos explains. “It appears the attackers signed 186 certificates that could have been intermediate certificates. These certificates masqueraded as well-known certificate authorities like Thawte, Verisign, Comodo, and Equifax.”
According to Sophos, computers users of IE and Safari on Windows 7/Vista/2008/2008R2 and/or Chrome and Firefox on all platforms are immune from exploitation, so long as you’re rocking a fully patched browser and OS. Things aren’t as peachy for Apple users.