Fraudulent SSL certificate can be used to impersonate Google

[tanstaafl]

Yet another fraudulent SSL certificate has been found being used on the Internet. This time its for Google, and was issued July 10. It can be used for "man in the middle attacks", where whatever is sent and received is transparently intercepted and possibly modified. i.e. somebody could get your username/password and use it to log into your account.

"Initially, Comodo argued that Iran's government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates. Today, Kaspersky's Schouwenberg said "nation-state involvement is the most plausible explanation" for the acquisition of the DigiNotar-issued certificate." according to http://www.computerworld.com/s/article/ ... l_accounts

Some other news accounts are at http://www.theregister.co.uk/2011/08/29 ... rtificate/ and http://nakedsecurity.sophos.com/2011/08 ... n-5-weeks/

See http://support.mozilla.com/en-US/kb/del ... ar-ca-cert for how to delete the DigiNotar certificate . I assume the Firefox update will be released quickly, I don't know about one for Thunderbird. Last time they delayed a patch to deal with fraudulent SSL certificates until the next normally scheduled release.

note: this will be a sticky thread for 3 days

[LoudNoise]

This will also impact Camino and SeaMonkey and most other browsers.

[tanstaafl]

I added a similar sticky thread for Camino and SeaMonkey Support. I already had created one for Thunderbird.

[Gopher John]

This will also impact Camino and SeaMonkey and most other browsers.

The DigiNotar certificate also shows in Internet Explorer (there are two of them there), but not in Opera.

[Night Wing]

tanstaafl,

Thank you for the heads up and the Mozilla link dealing with this fraudulent certificate. Being computer illiterate, the Mozilla link with it's instructions and visual presentation was exactly what I needed to show me how to manually delete the DigiNotar bogus certificate from my Firefox, Pale Moon and SeaMonkey browsers which I've already done.

[Daifne]

Interesting. My bank uses DigiNotar for it's certificates. I'm trying to get through to them now. Time for them to change CAs

[James]

Firefox 6.0.1 and 3.6.21 are officially released now.


http://www.mozilla.org/en-US/firefox/6.0.1/releasenotes/
http://www.mozilla.org/en-US/firefox/3.6.21/releasenotes/

[James]

And now Firefox 6.0.2 and 3.6.22 will be out soon to unblock some certificates that were accidentally blocked in 3.6.21 and 6.0.1.

Bug 683449 - DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots

https://wiki.mozilla.org/Releases/Firefox_3.6.22
https://wiki.mozilla.org/Releases/Firefox_6.0.2

[Night Wing]

After "manually" distrust/deleting the certificate two days ago, which made it disappear, I checked this morning and the company and it's certificate is back. I'm running FF6, not (6.0.1). I didn't update to 6.0.1 because I thought manually deleting the certificate solved the problem. I know it's a built in object, but I feel uneasy when a fraudulent certificate "re-appears" out of the blue.

The way I look at it, this company has been hacked "twice" when it comes to trusted certificates and Mozilla shouldn't be allowing this company any access to Firefox.

[Night Wing]

double post.

[tanstaafl]

I saw the same symptoms. I think somebody made a poor user interface design decision that makes you think you deleted the CA when you really just flagged it as untrustworthy.

Because the CA is built-in that button doesn't delete it, it just marks it as distrusted. If you select the certificate and press "edit trust" you should see that all of the checkmarks are unchecked. It would help if the summary had a column that identified which certificates are untrusted, but I haven't noticed them ever improve anything in the certificates user interface, it seems to be a backwater.

[Dretlytokhero]

learned a lot

[Amsterdammer]

DigiNotar is declared bankrupt

[Gopher John]

Why are DigiNotar certificates in Firefox 7 release? I would have thought that they would be removed or untrusted.

[KWierso]

They're in there so they can be marked as Untrusted. For me (In Firefox 10), if you choose one of the Diginotar certificates and click "Edit Trust", they're marked as "Do not trust the authenticity of this certificate".