Wednesday, August 31, 2011

False certificate is a result of a Google Hacks

False certificate is a result of a Google Hacks

After the weekend was an illegally issued certificate in active use for the monitoring of Iranian Gmail users will now register the certificate issuer to word: According to the publisher DigiNotar on 19 July this year found a burglar in his systems, in which the attacker could generate multiple certificates. Even now, the used certificate for *. google.com lay beneath.

DigiNotar has subsequently investigated the extent of the break and the recall of all illegally issued certificates. As it turns out to have been be overlooked, however, certificates, as well as the DigiNotar admit. "We have found that at least one false certificate is not withdrawn after us, the Dutch government organization Govcert it has drawn attention, we have carried out immediately." .

The attackers were aiming at the target for the issuance of SSL and Extended Validation SSL Certificates (EVSSL) competent infrastructure. DigiNotar will not issue any more certificates, not before more security checks were carried out by external service providers. Why is only now happening, however, leaves the company - after the burglary has taken place in mid-July. A solution should be available by the end of the week.

The parent company VASCO tries its shareholders to appease with warm words. "In the first half of the proceeds from the SSL and EVSSL business at less than 100,000 € were VASCO not expected that the incident at DigiNotar significant impact on future revenue or business plans will have. " The living in Iran users of Gmail, which may have been monitored over a period of several weeks by the Iranian government, this is little consolation. They have been weighed by the supposed secure connection to Google's servers into a false security.

It can currently not exclude that other DigiNotar has overlooked in the burglary at lock-issued certificates. Therefore, the browser makers have opted for a radical step: They want to trust the future no longer DigiNotar certificates. Google, Mozilla announced and already on updates, which remove the CA from the list of trusted publishers. Microsoft can leverage the centralized Certificate Trust List, of which versions of Windows Vista will automatically benefit from. For Windows XP and Windows Server 2003, there will be separate security updates.

A study published by Mozilla manual describes how to delete the root certificate manually from Firefox. [Update] Contrary to our original presentation made the Mozilla instructions very well have the desired effect. The root certificate is not deleted, but it will be removed from the trust.

No comments:

Post a Comment