Security Warning: Fake Google/Yahoo/Hotmail, ... SSL certificates - BMW Luxury Touring Community
 
LinkBack Thread Tools Display Modes
post #1 of 3 Old Sep 4th, 2011, 12:01 pm Thread Starter
Cat Herder
 
andy's Avatar
 
Join Date: Apr 2002
Location: Houston, TX, USA
Posts: 5,852
Security Warning: Fake Google/Yahoo/Hotmail, ... SSL certificates

On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes.

Why Do We Care?
Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable.

DigiNotar has been very tight-lipped about the problem. They have issued only one press release about the situation, and what’s in the press release does not correspond to other observable facts, such as the content of their Certificate Revocation List. Swa Frantzen at SANS and Jonathan Nightingale from Mozilla have both written excellent explanations of why DigiNotar’s response has been lacking.

Because so many fraudulent certificates for so many high-value domains were issued (such as for yahoo.com), and there doesn’t seem to be a trustworthy list of the fraudulent certificates, there is a high risk that other sites may have been compromised and the end user would not be able to tell. The biggest risk to most users is identity theft by phishing of passwords. This could then lead to other compromises and eventually financial losses.

In addition, users in Iran and other countries with totalitarian governments should also be concerned that their communications may have been compromised.

A nice writeup and a utility to remove the Diginotar.nl root certificates from your MAC can be found at http://ps-enable.com/articles/diginotar-revoke-trust

Andreas Pleschutznig
'14 GSAW soon:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Still in search of Occam's razor to cut a Gordian knot.
andy is offline  
Sponsored Links
Advertisement
 
post #2 of 3 Old Sep 4th, 2011, 5:09 pm
Senior Member
 
wrmoss's Avatar
 
Join Date: Oct 2007
Location: Glasco, Ks, USA
Posts: 929
Re: Security Warning: Fake Google/Yahoo/Hotmail, ... SSL certificates

Andy does this effect only MAC users then--or is the fix only for MAC users?

Wade
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


99 K-1200LT
82 Yamaha Virago (Girl of my youth)

"No one knows as much as all of us do." --General George Patton



To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wrmoss is offline  
post #3 of 3 Old Sep 5th, 2011, 10:12 am Thread Starter
Cat Herder
 
andy's Avatar
 
Join Date: Apr 2002
Location: Houston, TX, USA
Posts: 5,852
Re: Security Warning: Fake Google/Yahoo/Hotmail, ... SSL certificates

Actually, this affects everybody! So far 531 falsified certificates have been found e.g. Facebook.com, via.gov, google.com, yahoo.com, microsoft.com and everyone else who is important.

It is imperative that everyone takes appropriate precaution, because these certificates can e.g. be used to sniff out your bank passwords, your email, and everything else that was thought to be save. If you do not remove diginotar from the list of trusted CA authorities you are playing with fire ad asking for troubles.

I know this is one of those things where many folks will say "why does that concern ME?" but trust me it does. Not fixing this problem on your computer is akin to turning off and deinstalling your virus checker and starting to research computer viruses. In short not smart.

Andreas Pleschutznig
'14 GSAW soon:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Still in search of Occam's razor to cut a Gordian knot.
andy is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the BMW Luxury Touring Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Similar Threads
Thread Thread Starter Forum Replies Last Post
Won't start after battery change, doesn't unlock immobility security gramiras K1200LT 21 Mar 26th, 2017 11:20 am
Final Drive Failure (Warning Light System) Tourdog K1200LT 26 Nov 3rd, 2008 8:02 pm
WARNING: The consumption of alcohol may make you.... bmwjason Humor 1 Jun 22nd, 2006 4:18 pm

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome