IE is killing it too, and, as this post points out, so is Mozilla.<p>Sign a Google Mail certificate for Iran? Fuck you. You're done.<p>In the medium term, I think a lot of HN people should also take a hard look at CONVERGENCE.IO. For now, though, it's heartening to see the real power behind Internet trust (hint: it's not Verisign and it's not the IETF) taking this seriously.
DigiNotar's mother company Vasco finally released a press statement.<p><a href="http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx" rel="nofollow">http://www.vasco.com/company/press_room/news_archive/2011/ne...</a><p>Just incredible: They were hacked and they knew it, then forgot to clean up a certificate the hackers generated.<p><pre><code> On July 19th 2011, DigiNotar detected an intrusion into
its Certificate Authority (CA) infrastructure, which
resulted in the fraudulent issuance of public key
certificate requests for a number of domains, including
Google.com.
Once it detected the intrusion, DigiNotar has acted in
accordance with all relevant rules and procedures.
At that time, an external security audit concluded that
all fraudulently issued certificates were revoked.
Recently, it was discovered that at least one fraudulent
certificate had not been revoked at the time. After
being notified by Dutch government organization Govcert,
DigiNotar took immediate action and revoked the
fraudulent certificate.
The attack was targeted solely at DigiNotar's Certificate
Authority infrastructure for issuing SSL and EVSSL
certificates. No other certificate types were issued or
compromised. DigiNotar stresses the fact that the vast
majority of its business, including his Dutch government
business (PKIOverheid) was completely unaffected by the
attack.
</code></pre>
Maybe directly, certainly not indirectly.
Do we really need all those Certificate Authorities that are trusted by the browser? I remember 10 years ago Verisign would spend time verifying a business digging through legal documents, addresses, company officers, notarized docs, etc. Nowadays I'm supposed to trust a bunch of fly-by-night operations issuing certificates for a dollar and a song.
What we need, I think, is for browsers to display the CA as well as the URL. As in, 'DigiNotar certifies that you are connected to gmail'. This won't wholly solve the problem, but it will a) broaden the knowledge that CA's actually exist, and thus the problem of trusting them and b) provide some reputational disincentive to being a bad CA.<p>Unfortunately chrome seems to be headed in the opposite direction, removing the URL bar.
It's a shame that the only real protection against rogue (or compromised) CAs is still to have a whitelist directly in the browser.<p>For Google, this was easy as they control both their domains and their browser, but for everybody else who isn't maintaining a browser, they'd have to fall back to solutions like STS which, don't work if the first connection a user sees is already man-in-the-middle'd
If you want to verify that you no longer support Diginotar CA, this should give you a warning: <a href="https://www.diginotar.nl/" rel="nofollow">https://www.diginotar.nl/</a>
Wow, the security features Chrome used to nullify the attack were just implemented in June. I wonder if that was a reaction to another incident like this, or if it was just good foresight?
The amazing thing is that:<p>1) it doesn't happen more often<p>2) that anyone noticed<p>Its clearly early days. If they had impersonated a download server, they could have got users to download a spiked copy of the browser itself
The (partial) solution to this problem is very well known and is already implemented by SSH and several other packages that rely on public cryptography:
1) When user visits a <i>new</i> site, the certificate is presented to the user for inspection.
2) On subsequent visits, the site's certificate is compared to the one stored in the browser cache. If they are the same, then the connection is made silently. If there is difference, then the new cert is presented to the user for inspection.<p>The only problem is that this would kill user experience for 99% of the users who don't care about security in the first place. Thus, browsers need to do some clever UI tricks (e.g. color the thingy in url bar in a different color, etc.) to indicate potential problem to the user yet make it less intrusive.<p>The bottom line is that the fault is not on the SSL/x509. This infrastructure is not perfect but there is nothing better even in the design. The fault is on the browser developers who are not trying to protect users.
Question: This I believe is a serious issue, but what is the best way to 'reach' out to majority of users in a country?<p>Should/would google display this blog link on top of every google service to alert users in Iran, regardless of browser?<p>My thought is this blog may not even reach out to majority of users, till they get affected by it unless it is 'broadcasted'.
Anyone know a way to remove DigiNotar as a system root CA in OS X? I spent a few minutes struggling with Keychain to no avail, and couldn't Google my way to useful help.
This seems like a very expensive, targeted, specific attack. The perpetrators will likely succeed (or have already succeeded) at breaking into their intended target.<p>Someone high-profile in Iran is probably going to get screwed as a result.
I really wish Chrome would warn me when a site jumps to a new CA or even a new certificate. Last I checked, details on the current certificate wasn't made available to plugins, so I can't easily write it myself.