Fraudulent SSL certificate belonging to Google has been issued

Learn about Computer Security Other Security Products
#1

A fraudulent SSL certificate for websites belonging to Google has been issued. This is not a Firefox-specific issue and the certificate has now be canceled which should protect most people.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities.

http://www.microsoft.com/technet/security/advisory/2607712.mspx

#2

Iranian government is on the attack again?

#3

Especially when nobody notices the fraudulent issue for 40 odd days. 88)

#4

we are thinking about putting Hard Fail on Comodo Dragon by default for All Comodo Certificates.

#5

Sorry my ignorance, what is “Hard Fail”?

#6

https://forums.comodo.com/news-announcements-feedback-cd/hard-fail-ocsp-in-comodo-dragon-t75880.0.html;msg543201#msg543201

#7

Thank you!
Can this be addressed at the CA/Browser Forum, too?

Could a poisoning attack make a client receive a “false” status from already issued hacked certificate?

#8

Exactly. All the system must be rethought…

#9

It actually goes back two years!

Re: Iranian government is on the attack again?

#10

This is Opera’s point of view:

Opera does not require a fix for this issue. Opera always verifies that certificates are not revoked, and unlike other browsers Opera does not display sites as secure if access to revocation servers has been blocked by an attacker. Read more about this issue on the Security Group blog.
Src: Opera 11.51 released.

Opera will monitor the situation with DigiNotar according to Yngve Nysæter Pettersen (lead developer for security code)

The problem is currently handled by the standard revocation systems, OCSP and CRLs. We are continuing to evaluate the situation regarding DigiNotar, and may take steps regarding the trust settings for this Root.

#11

I’m not quite sure which browsers he’s referring to in his comments, although I’d take a stab at IE. Chrome supports certificate pinning and HSTS preloading. Firefox supports OCSP as well as the older CRL methods, and HSTS.

Fundamentally, there are few differences between the browsers with regard to certificate verification, which is predominately locked into 1990’s technology and it’s really about time serious change occurred in the way things are done. Potentially, DNSSEC will help, but it’s by no means a panacea.

This is an enlightening read about the state of Certificate Revocation Lists and the Online Certificate Status Protocol. Both of which are seriously flawed technologies.

Edit: I forgot to post the link 88)

#12

OCSP is not Flawed as a technology. Its just not implemented fully…It should be “hard fail” in all browsers by default…then it will be a good technology.