Fraudulent SSL certificate can be used to impersonate Google
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Fraudulent SSL certificate can be used to impersonate Google
Yet another fraudulent SSL certificate has been found being used on the Internet. This time its for Google, and was issued July 10. It can be used for "man in the middle attacks", where whatever is sent and received is transparently intercepted and possibly modified. i.e. somebody could get your username/password and use it to log into your account.
"Initially, Comodo argued that Iran's government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates. Today, Kaspersky's Schouwenberg said "nation-state involvement is the most plausible explanation" for the acquisition of the DigiNotar-issued certificate." according to http://www.computerworld.com/s/article/ ... l_accounts
Some other news accounts are at http://www.theregister.co.uk/2011/08/29 ... rtificate/ and http://nakedsecurity.sophos.com/2011/08 ... n-5-weeks/
See http://support.mozilla.com/en-US/kb/del ... ar-ca-cert for how to delete the DigiNotar certificate . I assume the Firefox update will be released quickly, I don't know about one for Thunderbird. Last time they delayed a patch to deal with fraudulent SSL certificates until the next normally scheduled release.
note: this will be a sticky thread for 3 days
"Initially, Comodo argued that Iran's government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates. Today, Kaspersky's Schouwenberg said "nation-state involvement is the most plausible explanation" for the acquisition of the DigiNotar-issued certificate." according to http://www.computerworld.com/s/article/ ... l_accounts
Some other news accounts are at http://www.theregister.co.uk/2011/08/29 ... rtificate/ and http://nakedsecurity.sophos.com/2011/08 ... n-5-weeks/
See http://support.mozilla.com/en-US/kb/del ... ar-ca-cert for how to delete the DigiNotar certificate . I assume the Firefox update will be released quickly, I don't know about one for Thunderbird. Last time they delayed a patch to deal with fraudulent SSL certificates until the next normally scheduled release.
note: this will be a sticky thread for 3 days
- LoudNoise
- New Member
- Posts: 39900
- Joined: October 18th, 2007, 1:45 pm
- Location: Next door to the west
Re: Fraudulent SSL certificate can be used to impersonate Go
This will also impact Camino and SeaMonkey and most other browsers.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Fraudulent SSL certificate can be used to impersonate Go
I added a similar sticky thread for Camino and SeaMonkey Support. I already had created one for Thunderbird.
- Gopher John
- Posts: 1764
- Joined: May 8th, 2008, 3:42 pm
- Location: Northwest Ohio
Re: Fraudulent SSL certificate can be used to impersonate Go
LoudNoise wrote:This will also impact Camino and SeaMonkey and most other browsers.
The DigiNotar certificate also shows in Internet Explorer (there are two of them there), but not in Opera.
The significant problems we face cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein
- Night Wing
- Posts: 179
- Joined: August 20th, 2011, 5:18 am
- Location: Texas
Re: Fraudulent SSL certificate can be used to impersonate Go
tanstaafl,
Thank you for the heads up and the Mozilla link dealing with this fraudulent certificate. Being computer illiterate, the Mozilla link with it's instructions and visual presentation was exactly what I needed to show me how to manually delete the DigiNotar bogus certificate from my Firefox, Pale Moon and SeaMonkey browsers which I've already done.
Thank you for the heads up and the Mozilla link dealing with this fraudulent certificate. Being computer illiterate, the Mozilla link with it's instructions and visual presentation was exactly what I needed to show me how to manually delete the DigiNotar bogus certificate from my Firefox, Pale Moon and SeaMonkey browsers which I've already done.
- Daifne
- Moderator
- Posts: 123071
- Joined: July 31st, 2005, 9:17 pm
- Location: Where the Waters Meet, Wisconsin
Re: Fraudulent SSL certificate can be used to impersonate Go
Interesting. My bank uses DigiNotar for it's certificates. I'm trying to get through to them now. Time for them to change CAs
- James
- Moderator
- Posts: 28007
- Joined: June 18th, 2003, 3:07 pm
- Location: Made in Canada
- James
- Moderator
- Posts: 28007
- Joined: June 18th, 2003, 3:07 pm
- Location: Made in Canada
Re: Fraudulent SSL certificate can be used to impersonate Go
And now Firefox 6.0.2 and 3.6.22 will be out soon to unblock some certificates that were accidentally blocked in 3.6.21 and 6.0.1.
Bug 683449 - DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots
https://wiki.mozilla.org/Releases/Firefox_3.6.22
https://wiki.mozilla.org/Releases/Firefox_6.0.2
Bug 683449 - DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots
https://wiki.mozilla.org/Releases/Firefox_3.6.22
https://wiki.mozilla.org/Releases/Firefox_6.0.2
- Night Wing
- Posts: 179
- Joined: August 20th, 2011, 5:18 am
- Location: Texas
Re: Fraudulent SSL certificate can be used to impersonate Go
After "manually" distrust/deleting the certificate two days ago, which made it disappear, I checked this morning and the company and it's certificate is back. I'm running FF6, not (6.0.1). I didn't update to 6.0.1 because I thought manually deleting the certificate solved the problem. I know it's a built in object, but I feel uneasy when a fraudulent certificate "re-appears" out of the blue.
The way I look at it, this company has been hacked "twice" when it comes to trusted certificates and Mozilla shouldn't be allowing this company any access to Firefox.
The way I look at it, this company has been hacked "twice" when it comes to trusted certificates and Mozilla shouldn't be allowing this company any access to Firefox.
Last edited by Night Wing on September 1st, 2011, 8:27 am, edited 1 time in total.
- Night Wing
- Posts: 179
- Joined: August 20th, 2011, 5:18 am
- Location: Texas
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Fraudulent SSL certificate can be used to impersonate Go
I saw the same symptoms. I think somebody made a poor user interface design decision that makes you think you deleted the CA when you really just flagged it as untrustworthy.
Because the CA is built-in that button doesn't delete it, it just marks it as distrusted. If you select the certificate and press "edit trust" you should see that all of the checkmarks are unchecked. It would help if the summary had a column that identified which certificates are untrusted, but I haven't noticed them ever improve anything in the certificates user interface, it seems to be a backwater.
Because the CA is built-in that button doesn't delete it, it just marks it as distrusted. If you select the certificate and press "edit trust" you should see that all of the checkmarks are unchecked. It would help if the summary had a column that identified which certificates are untrusted, but I haven't noticed them ever improve anything in the certificates user interface, it seems to be a backwater.
- Amsterdammer
- Posts: 752
- Joined: July 7th, 2005, 1:10 pm
- Location: Amsterdam, The Netherlands
- Contact:
- Gopher John
- Posts: 1764
- Joined: May 8th, 2008, 3:42 pm
- Location: Northwest Ohio
Re: Fraudulent SSL certificate can be used to impersonate Go
Why are DigiNotar certificates in Firefox 7 release? I would have thought that they would be removed or untrusted.
The significant problems we face cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein
-
- Posts: 8829
- Joined: May 7th, 2006, 10:29 pm
- Location: California
Re: Fraudulent SSL certificate can be used to impersonate Go
They're in there so they can be marked as Untrusted. For me (In Firefox 10), if you choose one of the Diginotar certificates and click "Edit Trust", they're marked as "Do not trust the authenticity of this certificate".