Koen Rouwhorst

personal blog

No, the NSA was not behind the DigiNotar hack

Published on September 14, 2013

On Tuesday I found that former Dutch certificate authority DigiNotar, known for its security breach in 2011, was briefly mentioned in a Globo video report about NSA spying on Sunday. I documented the finding in a few tweets and put the four frames (of the same slide) that mentioned the name DigiNotar together in an album. Because the slide was only partly visible I had a difficult time making any sense of it. So, I wrote down what I considered to be plausible:

From the part of the text that is visible I suspect at least NSA's 'Flying Pig' was used in some investigation of the security breach.

Koen Rouwhorst on Twitter

A few days later, when the news had reached the other side of the Atlantic, crypto guru Bruce Schneier posted an article on how the NSA runs man-in-the-middle (MITM) attacks on the internet. In the next-to-last paragraph he mentioned the DigiNotar slide and wrote:

Another screenshot implies is that the 2011 DigiNotar hack was either the work of the NSA, or exploited by the NSA.

Bruce Schneier in Schneier on Security

I disagree, as do others. I don't think this partly visible slide implies either. Unfortunately, as long as the full text is not public and we don't see documents that prove otherwise, there will be speculation about NSA's involvement in the hack. Therefore, I analyzed the video one more time, frame by frame, to see whether I missed something. And yes, I did miss something, it turned out that I missed the very frame that revealed more of the contents:

Diginotar certificate authority compromise:

Private keys of legitimate certificate authority, Diginotar, stolen by hacker

FLYING PIG was used to identify a FIS using them to launch a MITM against


According to the slide depicted above, a GCHQ program called FLYING PIG (SSL profiling) was used to identify a foreign intelligence service ('FIS' in intelligence-speak) that used the stolen private keys to launch a man-in-the-middle attack. It's highly unlikely that the identified foreign intelligence service refers to the NSA, because both agencies are working together very closely. I think we can put the speculations to rest that the DigiNotar hack was either the work of the NSA, or exploited by the NSA. Though, I don't want to completely rule out that second possibility that the NSA or GCHQ exploited the hack to perform a MITM attack themselves, but there's absolutely no proof to be found in these slides.

In one of the first tweets I incorrectly stated that FLYING PIG was an NSA program. Yet I put "NSA" in the title of this article because the speculation on Twitter was revolving around the NSA.