MozillaZine

Fraudulent SSL certificate can be used to impersonate Google

User Help for Mozilla Firefox
tanstaafl
Moderator

User avatar
 
Posts: 45412
Joined: July 30th, 2003, 5:06 pm

Post Posted August 29th, 2011, 5:08 pm

Yet another fraudulent SSL certificate has been found being used on the Internet. This time its for Google, and was issued July 10. It can be used for "man in the middle attacks", where whatever is sent and received is transparently intercepted and possibly modified. i.e. somebody could get your username/password and use it to log into your account.

"Initially, Comodo argued that Iran's government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates. Today, Kaspersky's Schouwenberg said "nation-state involvement is the most plausible explanation" for the acquisition of the DigiNotar-issued certificate." according to http://www.computerworld.com/s/article/ ... l_accounts

Some other news accounts are at http://www.theregister.co.uk/2011/08/29 ... rtificate/ and http://nakedsecurity.sophos.com/2011/08 ... n-5-weeks/

See http://support.mozilla.com/en-US/kb/del ... ar-ca-cert for how to delete the DigiNotar certificate . I assume the Firefox update will be released quickly, I don't know about one for Thunderbird. Last time they delayed a patch to deal with fraudulent SSL certificates until the next normally scheduled release.

note: this will be a sticky thread for 3 days

LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted August 29th, 2011, 5:13 pm

This will also impact Camino and SeaMonkey and most other browsers.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

tanstaafl
Moderator

User avatar
 
Posts: 45412
Joined: July 30th, 2003, 5:06 pm

Post Posted August 29th, 2011, 5:21 pm

I added a similar sticky thread for Camino and SeaMonkey Support. I already had created one for Thunderbird.

Gopher John

User avatar
 
Posts: 1764
Joined: May 8th, 2008, 3:42 pm
Location: Northwest Ohio

Post Posted August 29th, 2011, 5:35 pm

LoudNoise wrote:This will also impact Camino and SeaMonkey and most other browsers.


The DigiNotar certificate also shows in Internet Explorer (there are two of them there), but not in Opera.
The significant problems we face cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein

Night Wing

User avatar
 
Posts: 179
Joined: August 20th, 2011, 5:18 am
Location: Texas

Post Posted August 30th, 2011, 4:51 am

tanstaafl,

Thank you for the heads up and the Mozilla link dealing with this fraudulent certificate. Being computer illiterate, the Mozilla link with it's instructions and visual presentation was exactly what I needed to show me how to manually delete the DigiNotar bogus certificate from my Firefox, Pale Moon and SeaMonkey browsers which I've already done.

Daifne
Moderator

User avatar
 
Posts: 123050
Joined: July 31st, 2005, 9:17 pm
Location: Where the Waters Meet, Wisconsin

Post Posted August 30th, 2011, 1:06 pm

Interesting. My bank uses DigiNotar for it's certificates. I'm trying to get through to them now. Time for them to change CAs

James
Moderator

User avatar
 
Posts: 27582
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted August 30th, 2011, 11:41 pm


James
Moderator

User avatar
 
Posts: 27582
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted August 31st, 2011, 4:22 pm

And now Firefox 6.0.2 and 3.6.22 will be out soon to unblock some certificates that were accidentally blocked in 3.6.21 and 6.0.1.

Bug 683449 - DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots

https://wiki.mozilla.org/Releases/Firefox_3.6.22
https://wiki.mozilla.org/Releases/Firefox_6.0.2

Night Wing

User avatar
 
Posts: 179
Joined: August 20th, 2011, 5:18 am
Location: Texas

Post Posted September 1st, 2011, 8:20 am

After "manually" distrust/deleting the certificate two days ago, which made it disappear, I checked this morning and the company and it's certificate is back. I'm running FF6, not (6.0.1). I didn't update to 6.0.1 because I thought manually deleting the certificate solved the problem. I know it's a built in object, but I feel uneasy when a fraudulent certificate "re-appears" out of the blue.

The way I look at it, this company has been hacked "twice" when it comes to trusted certificates and Mozilla shouldn't be allowing this company any access to Firefox.
Last edited by Night Wing on September 1st, 2011, 8:27 am, edited 1 time in total.

Night Wing

User avatar
 
Posts: 179
Joined: August 20th, 2011, 5:18 am
Location: Texas

Post Posted September 1st, 2011, 8:24 am

double post.

tanstaafl
Moderator

User avatar
 
Posts: 45412
Joined: July 30th, 2003, 5:06 pm

Post Posted September 1st, 2011, 8:57 am

I saw the same symptoms. I think somebody made a poor user interface design decision that makes you think you deleted the CA when you really just flagged it as untrustworthy.

Because the CA is built-in that button doesn't delete it, it just marks it as distrusted. If you select the certificate and press "edit trust" you should see that all of the checkmarks are unchecked. It would help if the summary had a column that identified which certificates are untrusted, but I haven't noticed them ever improve anything in the certificates user interface, it seems to be a backwater.

Dretlytokhero
Guest
 

Post Posted September 8th, 2011, 11:13 am

learned a lot

Amsterdammer

User avatar
 
Posts: 752
Joined: July 7th, 2005, 1:10 pm
Location: Amsterdam, The Netherlands

Post Posted September 21st, 2011, 2:45 pm


Gopher John

User avatar
 
Posts: 1764
Joined: May 8th, 2008, 3:42 pm
Location: Northwest Ohio

Post Posted September 28th, 2011, 2:43 pm

Why are DigiNotar certificates in Firefox 7 release? I would have thought that they would be removed or untrusted.
The significant problems we face cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein

KWierso
 
Posts: 8831
Joined: May 7th, 2006, 10:29 pm
Location: California

Post Posted September 28th, 2011, 2:54 pm

They're in there so they can be marked as Untrusted. For me (In Firefox 10), if you choose one of the Diginotar certificates and click "Edit Trust", they're marked as "Do not trust the authenticity of this certificate".

Return to Firefox Support


Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 10 guests