Feeds

back to article Did Google certificate forgers hit hundreds more sites?

The hack attack that minted a fraudulent authentication credential for Google.com may have affected hundreds of other websites, a review of source code for Google's Chromium browser suggests. A side-by-side review comparing code contained in an upcoming version of Chrome increased the number of secure sockets layer certificates …

COMMENTS

This topic is closed for new posts.
Thumb Up

Opera users

automatically protected no application update needed.

http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2

1
0
FAIL

Erm...

But for the automatic blocking to work you have to "hope" that the issuing CA has revoked all the certificates (can you say for sure all the fake ones have been revoked?) and that the CA can be trusted to do so in a timely manner.

Turn off the smug mode please.

1
0
Jad
Stop

RE: Opera users

WOW! so basically the difference between firefox and opera is that in firefox if it gets the revocation list it will warn you and get you to jump through hoops to access the site, and in opera it will just not change the icon next to the URL!

that's amazing and will obviously really help normal users!

0
2
Bronze badge
Angel

Erm

Odd, I'm the only person I know who runs Opera on their PC, wouldn't consider us normal users therefore impossible to turn off smug mode :(

1
0
FAIL

blocked revocations

then Opera can also turn off the entire CA without users needing to download anything either... No rash and rushed updates like Chrome and Firefox that ***MIGHT*** catch all the bad certs, and if not another update tomorrow that ****MIGHT** catch a few more...

The point is, yes Opera is revocation based, but it also the ONLY browser that downgrades the cert if there is a blocked revocation URL

"Some browsers will present a site as secure if the revocation URL is blocked,

Opera will downgrade the security level of the site to the same as any other regular web page in such unverified cases, which means that once a certificate is revoked by the issuer, it cannot be abused in Opera, even if the revocation URL is blocked. The most an attacker can do, is the same as he could without a certificate."

1
0
FAIL

Re: RE: Opera users

For Opera, failure to download CRL or get a OCSP response is a connection grade changed to that of unsecured HTTP.

With firexox, chrome and IE it's business as usual. IE doesn't check revocation data even for EV certificates.

0
0
Silver badge
Stop

Scrub the lot

They know they've been hacked, but they refuse to give a full list of what fake certificates have been issued? Then untrusting all certificates issued by them is the only safe option.

Tough luck on them - letting themselves be hacked is incompetent, but letting known fake certificates circulate is grossly irresponsible.

2
0
Silver badge

Or just add Honest Achmed

https://bugzilla.mozilla.org/show_bug.cgi?id=647959

1
0
Holmes

Reporting about CAs CRL and revocations is red herring

grepping through their CRL from Jan 2011 to current (see pastbin example: http://pastebin.com/EaJJt1Yj:

Revocations per month

Jan 431

Feb 335

Mar 353

Apr 278

May 353

Jun 53

Jul 155

Aug 311

Current as of 20:15 GMT 2011

0
1
Unhappy

Interesting bit

The interesting bit is the Chromium list, what are the over 200 certificates for?! It's more than even the DigiNotar revoked themselves.

Browsers should have treated OCSP or CRL failure as certificate revoked for a long time already, it's not like the CAs don't have the money to run servers...

0
0
Silver badge

wrong solution

The CA's are already running servers, but users are too impatient to wait for the browser to check every certificate in the chain and therefore, by default, most browsers disable this checking.

Does this does mean is that instead of using a website to check my installed ssl certificates, I can just use Opera? If so, that will save me quite a bit of hassle.

0
0
This topic is closed for new posts.