[conspire] Fraudulent SSL certs for *.google.com from DigiNotar
rick at linuxmafia.com
Mon Aug 29 20:38:15 PDT 2011
Hullo, what have we here?
Fraudulent *.google.com Certificate
08.29.11 - 02:59pm
Mozilla was informed today about the issuance of at least one
fraudulent SSL certificate for public websites belonging to Google, Inc.
This is not a Firefox-specific issue, and the certificate has now been
revoked by its issuer, DigiNotar. This should protect most users.
Because the extent of the mis-issuance is not clear, we are releasing
new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and
mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and
SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root
and protect users from this attack. We encourage all users to keep their
software up-to-date by regularly applying security updates. Users can
also manually disable the DigiNotar root through the Firefox
Preferences, Advanced, Encryption tab, View Certificates. Authorities
tab (showing a scrolling list of Certificate Authorities = CAs whose
signatures of SSL certs Firefox is prepared to trust). Scroll down to
DigiNotar, which has one entry:
Certificate Name Security Device
DigiNotar Root CA Builtin Object Token
DigiNotar is a CA in the Netherlands. News story:
Statements issued by Google and Mozilla shortly after this article was
first published indicate a growing mistrust of DigiNotar, which in
January was acquired by VASCO Data Security, a maker of two-factor
tokens and other authentication products.
"While we investigate, we plan to block any sites whose certificates
were signed by DigiNotar," a statement issued by Google announced.
VASCO Data Security is in Illinois.
There are a lot of wild accusations flying about claiming that unstated
Iranian interests produced the phony DigiNotar-attested cert, which
seems completely non-credible. The only thing Iranian in this picture
is the good guy, an Iranian going by the name 'Alibo', who reported the
forgery in a GMail help forum over the weekend.
However, this incident comes hard on the heels of a CA named Comodo
making a much worse gaffe, attesting to nine fraudulent SSL certs for
such sites as Google, Yahoo, Skype and Microsoft's Hotmail, for which a
pseudonymous Iranian claimed responsibility:
Anyway, more than sufficient reason to delete Commodo's CA entries, too.
More usefully, that's more than sufficient reason to break the habit of
trusting SSL certs just because some goofball firm you've never heard of
signed it for money. Consider CertWatch: http://certwatch.simos.info/
More information about the conspire