Google exposed by fraudulent certificate

Powered by SC Magazine
 

Dutch company revokes bad certificate.

Update: A fraudulent digital certificate has circulated for 40 days that allowed attackers to impersonate and steal Google accounts including Gmail.

Dutch company DigiNotar issued the fraudulent *google.com certificate early last month.

The certificate was revoked this morning.

The news first appeared on a Google forum where Iran-based user Alibo reported that Chrome had flagged a certificate warning when Gmail was accessed.

Google Chrome and Mozilla Firefox have since banned DigiNotar certificates.

Hours ago Microsoft issued a security advisory stating that it had removed the DigiNotar root certificate from its Certificate Trust List.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and newer versions. This protection is automatic and no customer action is required."

 Alibo speculated that the fraudulent certificiate was issued by the Iranian Government.

"This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” said an anonymous post which examined the certificate.

It was the second time in five months that Google was compromised by fraudulent digital certificates. In March, an Iranian man claimed responsibility for issuing fraudulent certificates for Google, Yahoo, Skype and Hotmail from Comodo.

The breach strikes at the heart of the flawed digital certificate model. Security experts have voiced concerns about the model - which trusts more than 650 certificate authorities and all major governments to validate the security of websites.

“A single site operator deciding who all their users are required to trust, particularly in this globalised world, doesn't feel quite right when it's the user's data — not the site operator's — that's at risk,” security researcher Moxie Marlinspike said.

“At the moment, if I decide that I don't trust VeriSign or Comodo or any other CA (Certificate Authority), what can I do? The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.”

Marlinspike launched the Convergence project at the DefCon conference this month which serves as a crowdsourced alternative to the hierarchical certificate trust model.

Updated at 4:54 with comment from Microsoft.

Copyright © SC Magazine, Australia


Google exposed by fraudulent certificate
 
 
 
Top Stories
Rio Tinto's big data play delivers promised ore
Returns trickle in from long-term technology investment.
 
Time management tips for CIOs
[Blog post] How to get to the genba.
 
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  69%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  10%
 
Denial of service attacks
  6%
 
Insider threats
  11%
TOTAL VOTES: 1110

Vote