Home The fate of Qt users after DigiNotar security breach

The fate of Qt users after DigiNotar security breach

VASCO Data Security International owned and ran DigiNotar for months. This is a Dutch certificate authority which has been faced with a lot of hacking issues in recent times. This week, tons of information with regards to the security breach at DigiNotar were made public and here, we have a concise overview of the issues so far and its implications on Qt users

The series of events so far

  • July 19th: This was when the breach was first noticed by the company. Its infrastructure has been compromised and numerous pseudo certificates were issued out including one that gives access to pose as Gmail. It was signed with one of DigiNotar’s authentic intermediate certificates but it wasn’t signed by the company.
  • August 28th: Google Chrome alerted an Iranian Internet user that the certificate proffered by Gmail was not trusted. Google Chrome did not raise this alarm because it knew the certificate was a fraud (actually the certificate was authentic be the hackers broke into DigiNotar and issue legitimate certificates). However, Chrome supports “certificate pinning” feature thus for domains like mail.google.com, the browser has a concise list of in-built root CA certificates and when it did not recognize the DigiNotar root certificate that signed in, it raised the alert.
  • August 29th: After a month of usage of this fraudulent certificate, DigiNotar revoked the .google.com certificate. Subsequently, the browser vendors including Internet Explorer, Firefox, and Google Chrome agreed to blacklist the entire DigiNotar root certificate so as not to fall prey to any fraudulent certificate.
  • Subsequently: Other vendors like Linux distributions pulled out DigiNotar root certificate from its stores while Microsoft, Debian, Suse, and Ubuntu were planning to do so.
  • September 3: After the breach was clear, the Dutch government took over operational management of DigiNotar’s systems. 

The Implication for Qt users

At the time of this report, Qt has blacklisted the fake *.google.com certificate for its 4.7 and upcoming versions such as 4.8 and 5.0. Nevertheless, there are probably tons of fake certs out there because about 247 certificates have been blacklisted by Google Chrome.  The issue even looks more dangerous because there is no detailed list of issued certificates as of now.

For Qt version 4.7.0 users

The reading of rood certificates from the system has commenced thus this Qt version would not trust any certificate issued by DigiNotar.

For Qt version 4.6 users

Qt version 4.6 does not contain any DigiNotar certificate thus users need not be worried as they are completely safe.

What remains to be seen

The question now is “will the removal of the affected DigiNotar root certificate solve the problem”?. This is a million dollar question because DigiNotar has some “cross-signed” certificates i.e. intermediate certificates which are owned by DigiNotar but signed by another Certificate Authority. The removal of DigiNotar root certificate from the root store does not affect these certificates and since there is no detailed compilation of issued certificates, we do not know the implication of this situation. We have to keep our fingers crossed as it remains to be seen if the DigiNotar root certificate was enough to curtail the entire situation.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.