Tuesday, August 30, 2011

Fraudulent *.google.com SSL Certificate

A fraudulent SSL certificate was issued for the .google.com domain name from Diginotar, a Dutch Certificate Authority on July 10,2011. The articles referenced below provide background information and a time-line about the events.  

Of concern, is whether your browser is protected from spoofs, phishing attacks, or man-in-the-middle attacks from subdomains of google.com.

Internet Explorer

Microsoft issued Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing, indicating that the precautionary step of removing the DigiNotar root certificate from the Microsoft Certificate Trust List.

All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority.  Should you land on a website or attempt to install a program signed by the DigiNotar root certificate, you will receive an invalid certificate error.

A future update will be released to address this issue for all supported editions of Windows XP and Windows Server 2003.

Mozilla Firefox

The Mozilla Security Blog reported at Fraudulent *.google.com Certificate at Mozilla Security Blog that new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) will be released shortly that will revoke trust in the DigiNotar root.

Rather than waiting for the update, action can be taken now by following the instructions at Deleting the DigiNotar CA certificate.

Other Browsers

As reported in the Google Online Security Blog at An update on attempted man-in-the-middle attacks, steps were taken to disable the DigiNotar certificate authority in Chrome.  This was done while the investigations continues because it is not known if other fraudulent certificates were exist that have yet to be discovered.

Google Chrome is expected to be updated soon.  Chrome 13 and newer have legitimate Google certificates, hard-coded.

No official word has been issued regarding an update for either the Safari or Opera browser.

Background Articles

Computerworld: Hackers stole Google SSL certificate, Dutch firm admits
F-Secure: Diginotar Hacked by Black.Spook and Iranian Hackers
PC World: Google One of Many Victims in SSL Certificate Hack

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

1 comment:

gohost said...
This comment has been removed by a blog administrator.