Another CA Issues False Certificates To Iran 229
arglebargle_xiv writes "Following on from Comodogate, we have another public CA issuing genuine false certificates to Iran, this time for Google. There's speculation that it's a MITM by the Iranian government, but given the existing record of CAs ready to sell certs to anyone whose check clears, it could just be another Comodogate." Another (anonymous) reader says, "What might be worrying is that the CA behind the forgery is the official supplier of most Dutch Government certificates, diginotar.nl. They are supposed to be very stringent in their application process. As a Dutchman, I'm very interested to see how this one plays out."
Adds Trailrunner7: "The attack appears to have been targeting Gmail users specifically. Some users trying to reach the Gmail servers over HTTPS found that their traffic was being rerouted through servers that shouldn't have been part of the equation. On Monday afternoon, security researcher Moxie Marlinspike checked the signatures on the certificate for the suspicious server, which had been posted to Pastebin and elsewhere on the Web, and found that the certificate was in fact valid. The attack is especially problematic because the certificate is a wildcard cert, meaning it is valid for any of Google's domains that use SSL."
Surprising? (Score:5, Interesting)
Convergence (Score:4, Interesting)
See him speak about it at BlackHat USA 2011 here
Read about it here [infosecurity-us.com]
The official Convergence website (http://convergence.io/). The plugin (AFAIK) is not compatible with FF 6 yet.
Mozilla wants to blacklist the CA it seems. (Score:5, Interesting)
I just looked through the bug report listed; at the end two very interesting comments:
So it seems Mozilla is basically going to blacklist that CA. I think that's an appropriate response: the CA has proven that their methods are flawed, and that there certificates can not be trusted. This one has been found out; who knows whether there are more out there? I surely hope this is a one-off incident but better safe than sorry. And it sends the message nice and clear to other CAs that they have to be really careful.
As of 9:26pm PDT this bug report has made the frontpage of slashdot.org [...] Please address this issue immediately.
A Slashdot side-effect :)
Liability (Score:2, Interesting)
Question for lawyers. If I bought a certificate from DigiNotar, can I sue them for damages? My certificate is unchanged so I have not been directly damaged. However, their business model is based on trust and once they are blacklisted, my cert while not be useful.