Tuesday, August 30, 2011

Falsely issued Google SSL certificate in the wild for more than 5 weeks

googlecert325.jpg?w=325&h=390

Update: Mozilla have announced out of an abundance of caution that they are releasing new versions of Firefox, Firefox Mobile and Thunderbird to revoke the trust of DigiNotar's root certificate for signing certificates.

I presume this is because DigiNotar has not explained how the Google certificate was signed and to prevent further abuse. This could cause issues for websites who have purchased certificates from DigiNotar.

It remains to be seen whether other browsers will follow in Mozilla's foot steps, but it may be prudent to remove DigiNotar from your trusted certificates until there is further clarification.

Update 2: Google is following Mozilla's lead by marking DigiNotar untrusted in the next release of the Chrome OS (Chromium).

Original post: Reports surfaced this morning that accuse the government of Iran with trying to perform a man-in-the-middle attack against Google's SSL services.

Padlock keyA user named alibo on the Gmail forums posted a thread about receiving a certificate warning about a revoked SSL certificate for SSL-based Google services.

The certificate in question was issued on July 10th by Dutch SSL certificate authority DigiNotar. DigiNotar revoked the certificate today at 16:59:03 GMT, but many browsers do not check for revoked certificates by default.

Rogue Google certificateThe certificate was valid for *.google.com and raises serious questions about who the certificate was issued to, and how it was signed.

Read more: Naked security
QR: https://chart.googleapis.com/chart?chs=80x80&cht=qr&choe=UTF-8&chl=http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificate-in-the-wild-for-more-than-5-weeks/

Posted via email from Jasper-Net