Google Site Search

Google
 

Monday, August 29, 2011

When SSL Certificate is the culprit

you may have heard of practitioners preaching SSL to mitigate man-in-the-middle attacks. For more information on MITM, read here.

SSL Certificates are issued by a Certificate Authority (CA). There are a large number of CAs around the world and most of the prominent browsers trust a set of CAs by default.

The latest news about a hacker getting SSL certificates issued under the Google name from a Dutch CA, is very alarming.

If the browser trusts a particular CA and that CA has issued a fradulent certificate, then it is very difficult for the browser to figure out the fraud unless they follow OCSP or remove that CA.

Update from Mozilla Firefox:
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/


Mitigation in Mozilla Firefox:

http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert


Mozilla will be releasing an update to Firefox to further protect you
from this. Until the update is released you can manually delete this
certificate with these steps:

At the top of the Firefox window, click on the Edit menu and select Preferences.

Click on the Advanced panel
Select the Encryption tab
Click View Certificates
In the Certificate Manager window, select the Authorities tab
Scroll down to DigiNotar and select the DigiNotar Root CA
Click Delete or Distrust...
Click OK to confirm the deletion


Apparently DigiNotar Certificate shows up in Internet Explorer too.
Here is Microsoft Advisory.

Google Chrome is covered by its security features.

A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."

(Thanks to CNET)

If your favorite bank has a website with the URL starting with https, try to demand Extended Validation Certificates. CAs go through extended audits before issuing EV Certs and the address bar displays a green bar in the browser.


References:

Diginotar and Hackers

No comments: