Besides the fraudulent security certificates Dutch authority DigiNotar issued for Google.com, more were made for Yahoo.com, Mozilla.org, torproject.org, wordpress.org and an Iranian blogging platform, Baladin, according to a Dutch report.
The report [Google Translate version] does not state how it came across the information that the additional sites were targeted, and neither DigiNotar, its parent, Vasco, or the target companies have confirmed they were targeted.
Kaspersky Lab antivirus researcher Roel Schouwenberg said that if these domains were targeted it would add further weight to the suspicion that “a specific government is behind this attack.”
“What's worrisome in this saga is DigiNotar's claim a "few dozen" rogue certificates were generated,” said Kaspersky’s Schouwenberg. “This is a particularly suspicious claim because at the same time Google has blocked over 200 rogue certificates. Something doesn't quite add up.”
An analysis by The Register of a hardcoded blacklist of SSL certificates in Google’s updated Chrome browser also suggested that there could be hundreds of affected domain other than Google.com.
The number one suspect is Iran, which was accused of being behind similar attacks on certificate authority, Comodo in March.
Several calling cards left by hackers on DigiNotar’s website discovered by security firm F-Secure suggest that the certificate authority had been breached several times since 2009 by both Iranian and Turkish hacker groups.
Browser makers Microsoft, Mozilla and Google have all disabled DigiNotar issued certificates in response to the breach, while open source operating system project Debian also disabled by default the DigiNotar Root CA in its network security services libraries.