Certificate Authority (CA) DigiNotar has admitted it was the victim of a security breach on July 19 that allowed the attackers to issue fake SSL certificates, enabling them to launch so-called “man-in-the-middle” attacks against unsuspecting users of Gmail.

Such attacks could divert users to faked or compromised versions of trusted websites where personal details could be harvested directly or through malware deposited on a visitor’s machine. Although initial concerns raised the possibility that the attack might have been launched by the government in Iran there is no evidence to support this at present, and DigiNotar has revealed nothing of what it knows or suspects about the identity of the attackers.

However, we can be certain that this raises fresh concern about our CA infrastructure. CAs are an essential part of the day-to-day management of SSL, the encryption technology that guarantees websites are what they claim to be. If SSL certificates can be faked even the best encryption technology is worthless as a mark of authenticity.

Because of this DigiNotar will face intense scrutiny of the way it responded to the attack. According to its own account, the company detected the breach itself and revoked all the compromised certificates except those affecting Google, which seems a remarkable oversight. It wasn’t until a Google user in Iran flagged up a warning given by his Chrome browser on a user forum on August 27 – well over a month later – that the issue came to public attention. At the time of writing Google has shed no light on exactly why Chrome flagged a warning for this SSL certificate.

In the meantime the sorry affair also raises important questions for DigiNotar and Vasco, its new parent company following a $13m takeover in January this year. DigiNotar, a small Amsterdam-based company of roughly 45 people, had a track record of working successfully with government on PKI projects and CA, but primarily within the Netherlands. A key aim of the acquisition was to open up new markets for DigiNotar, an ambition that now looks somewhat tarnished, at least in the short term.

Not surprisingly, both are now engaged in damage limitation, with DigiNotar emphasising that its CA infrastructure is separate from the PKI infrastructure that is the foundation of its business with the Dutch government, while Vasco says the incident will have little or impact on revenues this year, or future business plans.

That’s nice to know for shareholders but it will be no comfort for the numerous end users now worrying about the security of their personal data. Perhaps it’s time for a rethink of our CA infrastructure – is it hoping for too much to expect a model that takes the interests of end users more seriously?