[conspire] Fraudulent SSL certs for *.google.com from DigiNotar

Rick Moen rick at linuxmafia.com
Mon Aug 29 20:38:15 PDT 2011


Hullo, what have we here? 
https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

   Fraudulent *.google.com Certificate
   08.29.11 - 02:59pm

   Mozilla was informed today about the issuance of at least one
   fraudulent SSL certificate for public websites belonging to Google, Inc.
   This is not a Firefox-specific issue, and the certificate has now been
   revoked by its issuer, DigiNotar. This should protect most users.
   [...]

   Because the extent of the mis-issuance is not clear, we are releasing
   new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and
   mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and
   SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root
   and protect users from this attack. We encourage all users to keep their
   software up-to-date by regularly applying security updates. Users can
   also manually disable the DigiNotar root through the Firefox
   preferences.


Preferences, Advanced, Encryption tab, View Certificates.  Authorities
tab (showing a scrolling list of Certificate Authorities = CAs whose 
signatures of SSL certs Firefox is prepared to trust).  Scroll down to
DigiNotar, which has one entry:

    Certificate Name              Security Device
    DigiNotar Root CA             Builtin Object Token

Select 'Delete'.  


DigiNotar is a CA in the Netherlands.  News story:
http://www.theregister.co.uk/2011/08/29/fraudulent_google_ssl_certificate/

  Statements issued by Google and Mozilla shortly after this article was
  first published indicate a growing mistrust of DigiNotar, which in
  January was acquired by VASCO Data Security, a maker of two-factor
  tokens and other authentication products.

  "While we investigate, we plan to block any sites whose certificates
  were signed by DigiNotar," a statement issued by Google announced.


VASCO Data Security is in Illinois.

There are a lot of wild accusations flying about claiming that unstated
Iranian interests produced the phony DigiNotar-attested cert, which
seems completely non-credible.  The only thing Iranian in this picture
is the good guy, an Iranian going by the name 'Alibo', who reported the
forgery in a GMail help forum over the weekend.

https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en

However, this incident comes hard on the heels of a CA named Comodo
making a much worse gaffe, attesting to nine fraudulent SSL certs for
such sites as Google, Yahoo, Skype and Microsoft's Hotmail, for which a
pseudonymous Iranian claimed responsibility:
http://pastebin.com/74KXCaEZ

Anyway, more than sufficient reason to delete Commodo's CA entries, too.

More usefully, that's more than sufficient reason to break the habit of
trusting SSL certs just because some goofball firm you've never heard of
signed it for money.  Consider CertWatch:  http://certwatch.simos.info/





More information about the conspire mailing list