[conspire] Fraudulent SSL certs for *.google.com from DigiNotar

Edward Cherlin echerlin at gmail.com
Mon Aug 29 21:54:56 PDT 2011


On Mon, Aug 29, 2011 at 23:38, Rick Moen <rick at linuxmafia.com> wrote:
> Hullo, what have we here?
> https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
>
>   Fraudulent *.google.com Certificate
>   08.29.11 - 02:59pm
>
>   Mozilla was informed today about the issuance of at least one
>   fraudulent SSL certificate for public websites belonging to Google, Inc.
>   This is not a Firefox-specific issue, and the certificate has now been
>   revoked by its issuer, DigiNotar. This should protect most users.
>   [...]
>
>   Because the extent of the mis-issuance is not clear, we are releasing
>   new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and
>   mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and
>   SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root
>   and protect users from this attack. We encourage all users to keep their
>   software up-to-date by regularly applying security updates. Users can
>   also manually disable the DigiNotar root through the Firefox
>   preferences.
>
>
> Preferences, Advanced, Encryption tab, View Certificates.  Authorities
> tab (showing a scrolling list of Certificate Authorities = CAs whose
> signatures of SSL certs Firefox is prepared to trust).  Scroll down to
> DigiNotar, which has one entry:
>
>    Certificate Name              Security Device
>    DigiNotar Root CA             Builtin Object Token
>
> Select 'Delete'.
>
>
> DigiNotar is a CA in the Netherlands.  News story:
> http://www.theregister.co.uk/2011/08/29/fraudulent_google_ssl_certificate/
>
>  Statements issued by Google and Mozilla shortly after this article was
>  first published indicate a growing mistrust of DigiNotar, which in
>  January was acquired by VASCO Data Security, a maker of two-factor
>  tokens and other authentication products.
>
>  "While we investigate, we plan to block any sites whose certificates
>  were signed by DigiNotar," a statement issued by Google announced.
>
>
> VASCO Data Security is in Illinois.
>
> There are a lot of wild accusations flying about claiming that unstated
> Iranian interests produced the phony DigiNotar-attested cert, which
> seems completely non-credible.  The only thing Iranian in this picture
> is the good guy, an Iranian going by the name 'Alibo', who reported the
> forgery in a GMail help forum over the weekend.
>
> https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en
>
> However, this incident comes hard on the heels of a CA named Comodo
> making a much worse gaffe, attesting to nine fraudulent SSL certs for
> such sites as Google, Yahoo, Skype and Microsoft's Hotmail, for which a
> pseudonymous Iranian claimed responsibility:
> http://pastebin.com/74KXCaEZ
>
> Anyway, more than sufficient reason to delete Commodo's CA entries, too.
>
> More usefully, that's more than sufficient reason to break the habit of
> trusting SSL certs just because some goofball firm you've never heard of
> signed it for money.  Consider CertWatch:  http://certwatch.simos.info/

Thanks, Rick. Clear and concise as usual, and extremely helpful. I had
part of the story from my son Clement earlier, but this makes much
more sense than what had come to him.

I am personally running nightly builds of Aurora, because of massive
memory leaks ("zombie compartments" for JavaScript) in Firefox. 9.0a1
just popped up while I was writing this. I'll install it right after I
click Send.

On an almost, but not quite completely unrelated note, does anybody
remember the skrode rider in Fire Upon the Deep commenting on Pham
Nuyen's touchingly naive trust in public key cryptography (in the near
vicinity of weakly-Godlike Powers in the Transcend)? The skrode rider
couple was in the business of bulk transport of one-third unXORs of
one-time pads, and their cargo had just lost all value through contact
with puppets of the Ancient Evil when...but that would be telling.
Also Vinge nails the vagaries of a Galaxy-spanning Usenet.

Or the takedown of a major CA, Credit Suisse, in Rainbows End, just to
get at a wascally wabbit?
-- 
Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.
http://wiki.sugarlabs.org/go/Replacing_Textbooks




More information about the conspire mailing list