Of concern, is whether your browser is protected from spoofs, phishing attacks, or man-in-the-middle attacks from subdomains of google.com.
Internet Explorer
Microsoft issued Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing, indicating that the precautionary step of removing the DigiNotar root certificate from the Microsoft Certificate Trust List.All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Should you land on a website or attempt to install a program signed by the DigiNotar root certificate, you will receive an invalid certificate error.
A future update will be released to address this issue for all supported editions of Windows XP and Windows Server 2003.
Mozilla Firefox
The Mozilla Security Blog reported at Fraudulent *.google.com Certificate at Mozilla Security Blog that new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) will be released shortly that will revoke trust in the DigiNotar root.Rather than waiting for the update, action can be taken now by following the instructions at Deleting the DigiNotar CA certificate.
Other Browsers
As reported in the Google Online Security Blog at An update on attempted man-in-the-middle attacks, steps were taken to disable the DigiNotar certificate authority in Chrome. This was done while the investigations continues because it is not known if other fraudulent certificates were exist that have yet to be discovered.Google Chrome is expected to be updated soon. Chrome 13 and newer have legitimate Google certificates, hard-coded.
No official word has been issued regarding an update for either the Safari or Opera browser.
Background Articles
Computerworld: Hackers stole Google SSL certificate, Dutch firm admitsF-Secure: Diginotar Hacked by Black.Spook and Iranian Hackers
PC World: Google One of Many Victims in SSL Certificate Hack
This comment has been removed by a blog administrator.
ReplyDelete