VASCO Data Security International owned and ran DigiNotar for months. This is a Dutch certificate authority which has been faced with a lot of hacking issues in recent times. This week, tons of information with regards to the security breach at DigiNotar were made public and here, we have a concise overview of the issues so far and its implications on Qt users
At the time of this report, Qt has blacklisted the fake *.google.com certificate for its 4.7 and upcoming versions such as 4.8 and 5.0. Nevertheless, there are probably tons of fake certs out there because about 247 certificates have been blacklisted by Google Chrome. The issue even looks more dangerous because there is no detailed list of issued certificates as of now.
The reading of rood certificates from the system has commenced thus this Qt version would not trust any certificate issued by DigiNotar.
Qt version 4.6 does not contain any DigiNotar certificate thus users need not be worried as they are completely safe.
The question now is "will the removal of the affected DigiNotar root certificate solve the problem"?. This is a million dollar question because DigiNotar has some “cross-signed” certificates i.e. intermediate certificates which are owned by DigiNotar but signed by another Certificate Authority. The removal of DigiNotar root certificate from the root store does not affect these certificates and since there is no detailed compilation of issued certificates, we do not know the implication of this situation. We have to keep our fingers crossed as it remains to be seen if the DigiNotar root certificate was enough to curtail the entire situation.