Security Alert: DigiNotar Issues Fraudulent Certificate–Instructions for How to Protect Yourself

Google Fraudulent DigiNotar Secure Socket Layer CertificateA Gmail user from Iran has discovered what appears to be a fraudulent SSL certificate for * The certificate was issued by DigiNotar, a certificate authority from the Netherlands on July 10, 2011. What does this mean? The Register explains it the best for non-Internet security folks, but in a nutshell, it allows the holder of this certificate to masquerade as Google. Used for malicious purposes, they could redirect your browser and phish away your Google account credentials, gaining access to your Google Plus, Gmail, Google Shopping, Google Docs and other Google-based service accounts. Or they could simply intercept data that you are sending to Google, eavesdrop on all your communications (including personal information and login information) and send it along, all without you knowing.

Update: A Microsoft Security Advisory(2607712) indicates that the DigiNotar certificate has been removed from the Microsoft Certificate Trust List, meaning that all Windows Vista and Windows 7 system will be protected. No further action should be necessary. Windows XP and Windows Server 2003 users should keep an eye out for an update, or follow the directions below.

Mac users: Follow these instructions to remove DigiNotar from your keychain.

The powers that be have already leaped into action, and the certificate has been added to the certificate revocation list (CRL). This means that if you attempt to browse one of these phony redirected sites, you should be alerted that something is afoot. Mozilla will be releasing updates to Firefox, Thunderbird, and Seamonkey that will revoke trust in DigiNotar, effectively protecting users from this particular security compromise. In the meantime, you can manual revoke the DigiNotar root in Firefox (see instructions below).

The latest version of Google Chrome should also be protected from the fraudulent certificate from DigiNotar, though there are measures you can take to make double-sure. Instructions below.

The first step you should do is to ensure that you have the latest version of whichever browser you are using. Get it here:

Securing Internet Explorer and Google Chrome from the Fake DigiNotar Certificate

These steps will add the phony certificate to your system as an Untrusted Certificate. This will affect both Internet Explorer and Chrome.

Step 1

Open up Notepad.exe.

Step 2

Go to and copy the text between the words BEGIN CERTIFICATE and END CERTIFICATE. Paste it into notepad.

diginotar certificate

Or, just copy and paste it from here:


You can also just download the .cer file directly from us.

Step 3

Save it with a .cer extension. Not as a .txt file. Use something like badcert.cer.

The icon looks like this in Windows 7:

diginotar bad cer

Step 4

Open Control Panel and go to Internet Options. Click the Content tab. Click Certificates.

internet explorer certificates

Step 5

Click the right-arrow along the top till you see Untrusted Publishers. Click Import.

diginotar fake google certificate

Step 6

Browse to your badcert.cer file and import it.

fixing chrome from diginotar trust

Step 7

Place it in Untrusted Certificates.  Click Next until complete.

revoking diginotar certificate IE and CHROME

Step 8

You’ll see DigiNotar’s certificate near the top.

untrusting diginotar

Securing Mozilla Firefox from the Fraudulent DigiNotar Certificate

Mozilla has been totally awesome and on the ball here and has released official instructions for deleting the DigiNotar Certificate. Or, read on.

Step 1

Click the Firefox button or Tools and choose Options. Go to Advanced > Encryption and click View Certificates.

.gmail fake diginotar certificate SSL

Step 2

Click Authorities and click the Certificate Name column to sort it alphabetically.

Step 3

Scroll down to DigNotar Root CA. Select it and click Delete or Distrust.

distrusting diginotar in chrome and IE

Revoking DigiNotar Certificate in OS X

These steps are the equivalent of the above for IE / Chrome, but for OS X. After completing these steps, you’ll receive a warning whenever a website is certified by DigiNotar, even if it’s not the bogus one we’ve pointed out. That’s actually not a bad idea since DigiNotar’s involvement with this whole mess puts them on serious notice.

Step 1

Go to Applications and choose Utilities. Launch KeyChain Access.

Revoking digital certificate from diginotar in OS X

Step 2

In the Keychains pane, select System Roots.

Step 3

Find the DigiNotar entry on the right-hand pane.

Step 4

Click the i icon on the status bar for more information.

diginotar os x safari

Step 5

Expand the Trust section. Under When using this certificate, change it to Never Trust. Enter your system password if prompted.

diginotar os x safari removal


Hope these tips help all you groovyReaders stay safe! Let us know if you come across any other safety measures or have anything else to report.

1 Comment

1 Comment

  1. profitable browser

    Amazing issues here. I am very happy to look your article. Thanks so much and I am looking ahead to contact you. Will you please drop me a e-mail?

Leave a Reply

Your email address will not be published. Required fields are marked *


To Top