Anatomy of a Breach

Anatomy of a Breach: DigiNotar — The Certificate Authority That Was Destroyed

> series: anatomy_of_a_breach —— part: 033 —— target: diginotar_ca —— fake_certs: 531 —— iranian_victims: 300,000 —— outcome: bankruptcy<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2011 13 min read
data-breach diginotar certificate-authority ssl-tls iran netherlands pki trust-destruction series
Breach #033

531 fake certificates. 300,000 Iranians surveilled. One company destroyed.

On 29 August 2011, a Google Chrome user in Iran noticed something unusual: their browser was displaying a certificate warning for Gmail that it had not shown before. Investigation revealed that a fraudulent SSL certificate for *.google.com had been issued by DigiNotar, a Dutch certificate authority. The certificate was being used — in conjunction with network-level traffic interception by Iranian ISPs — to perform a man-in-the-middle attack on Gmail traffic, enabling the surveillance of an estimated 300,000 Iranian citizens' email communications.

As the investigation widened, the scale of the compromise became clear: the attackers had issued at least 531 fraudulent certificates for domains including google.com, yahoo.com, microsoft.com, skype.com, mozilla.org, torproject.org, and — ominously — the domains of intelligence agencies. DigiNotar's entire infrastructure had been compromised for weeks before detection. An independent audit by Fox-IT described the company's security as catastrophically inadequate: unpatched software, weak passwords, no segmentation, and malware on critical CA servers. Within weeks, every major browser vendor had revoked trust in all DigiNotar certificates. The Dutch government, which used DigiNotar-issued certificates for citizen-facing services, was forced to emergency-replace them. DigiNotar declared bankruptcy on 20 September 2011 — destroyed, completely and permanently, by a single breach.

The Audit Findings
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Fox-IT's assessment was devastating.

The independent audit conducted by Dutch security firm Fox-IT after the breach revealed a litany of security failures that, collectively, paint a picture of an organisation that had no business operating as a certificate authority.

Finding Significance
Software not patched Critical systems were running outdated, unpatched software with known vulnerabilities — the same finding that enabled the Sony PSN breach. Cyber Essentials Danzell mandates 14-day critical patching.
Weak passwords on critical systems CA-critical infrastructure was protected by weak, easily guessable passwords. Our password cracking assessments demonstrate how quickly weak credentials fall.
No network segmentation The CA signing infrastructure was accessible from the same network as general-purpose servers. A compromise of any system could reach the certificate-issuing systems. Infrastructure testing validates segmentation.
Malware on CA servers Active malware was found on servers in the certificate issuance path. The presence of malware on the most critical systems in the entire PKI chain demonstrated a complete absence of integrity monitoring.
No intrusion detection DigiNotar had no capability to detect the compromise — it was discovered externally by a user in Iran. SOC in a Box provides the continuous monitoring that DigiNotar lacked.
The Human Cost

300,000 Iranians under surveillance.

The DigiNotar breach was not an abstract technical failure — it had direct human consequences. The fraudulent google.com certificate was used to intercept the Gmail communications of an estimated 300,000 people in Iran. For political dissidents, human rights activists, and journalists operating under an authoritarian regime, this surveillance could have — and may have — resulted in imprisonment, torture, or death. The fraudulent torproject.org certificate was designed to compromise Tor, the anonymity network used by dissidents to circumvent censorship. The DigiNotar breach was, in effect, a tool of state repression — enabled by the negligent security of a small Dutch company.

The Precedent

The first CA killed by a breach — and not the last.

DigiNotar's destruction set a precedent: certificate authorities that are compromised lose the trust of the browser vendors, and without that trust, they cease to exist. The Comodo breach earlier in 2011 was survived because the compromise was limited to a single RA partner. DigiNotar's compromise was total — and so was the response. The incident accelerated the development of Certificate Transparency, CAA records, and other mechanisms to detect and prevent CA compromise.

For organisations that depend on HTTPS — which is every organisation — the DigiNotar case reinforces the importance of certificate monitoring, CAA DNS records, and HSTS deployment. Our web application testing includes TLS and certificate security assessment. SOC in a Box monitors Certificate Transparency logs for your domains. And UK Cyber Defence provides the incident response capability when certificate-related attacks are detected.

Certificate Security

DigiNotar was destroyed in three weeks. Is your certificate infrastructure monitored?

Our <a href="/penetration-testing/web-application">web application testing</a> assesses TLS configuration and certificate security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for fraudulent certificates issued for your domains.

Commission a Web App Test Next: NHS Trust Fines Continue
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2011

Anatomy of a Breach: Comodo — The Iranian Hacker Who Forged the Internet's Trust

Breach #027. In March 2011, a hacker claiming to be a 21-year-old Iranian patriot compromised a Comodo registration authority partner and issued fraudulent SSL certificates for Google, Yahoo, Skype, Microsoft Live, and Mozilla — enabling potential man-in-the-middle attacks against millions of users. The breach exposed a fundamental weakness in the internet's trust infrastructure: the entire certificate authority system.

data-breach comodo
12 min read
Anatomy of a Breach 31 December 2011

Anatomy of a Breach: 2011 Year in Review — The Year Everything Was Hacked

Breach #036 and the 2011 finale. The year that saw RSA's authentication tokens stolen (and used to breach Lockheed Martin), Sony's PlayStation Network taken offline for 23 days, LulzSec embarrass the NHS and the CIA in the same week, DigiNotar destroyed overnight, the News of the World shut down over phone hacking, and Anonymous close the year by hacking intelligence firm Stratfor and leaking 860,000 email addresses and 60,000 credit cards as a Christmas present to the internet. The year everything was hacked.

data-breach year-in-review
14 min read
Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
All Posts Get in Touch