NNSquad - Network Neutrality Squad
[ NNSquad ] Forged Google crypto certificate found in the wild
Forged Google crypto certificate found in the wild
http://j.mp/oPlzjQ (UK Register)
"Security researchers have discovered a counterfeit web certificate for
Google.com circulating on the internet that gives attackers the
encryption keys needed to impersonate Gmail and virtually every other
digitally signed Google property."
- - -
A couple of notes on this. First, a widely syndicated story on this
topic was titled "Hackers acquire Google certificate ..." -- which
isn't exactly true, what they acquired was strictly speaking a
*forged* Google certificate, an important distinction when certificate
revocation is considered. Secondly, as bad as this is (and regular
readers know how critical I've been of both existing PKI certificates
and DNS environments), the forged cert alone doesn't provide the
ability to perform a man-in-the-middle attack without the added factor
of *access* -- either through poisoned DNS diversions, or direct
tapping of traffic (e.g. by ISPs/governments), and so on.
--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
- PRIVACY Forum: http://www.vortex.com
Member: ACM Committee on Computers and Public Policy
Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren
Twitter: https://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com