Because the Google certificate that prompted DigiNotar to acknowledge the intrusion was obtained before most of the others, Markham speculated that there had actually been two separate attacks, perhaps by different groups.

"It is at least possible (but entirely speculative) that an initial competent attacker has had access to [DigiNotar's] systems for an unknown amount of time, and a second attacker gained access more recently and their less-subtle, bull-in-a-china shop approach in issuing the [hundreds of] certificates triggered the alarms," he said.

Last week, Helsinki-based antivirus company F-Secure said it had found signs that DigiNotar's network had been compromised as early as .

Mozilla will update Firefox 6 and Firefox 3.6 on Tuesday to permanently block all DigiNotar-issued certificates, including those used by the Dutch government.

On Saturday to do the same.