Did Google certificate forgers hit hundreds more sites?
The hack attack that minted a fraudulent authentication credential for Google.com may have affected hundreds of other websites, a review of source code for Google's Chromium browser suggests. A side-by-side review comparing code contained in an upcoming version of Chrome increased the number of secure sockets layer certificates …
This topic is closed for new posts.
Opera users
automatically protected no application update needed.
http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2
Erm...
But for the automatic blocking to work you have to "hope" that the issuing CA has revoked all the certificates (can you say for sure all the fake ones have been revoked?) and that the CA can be trusted to do so in a timely manner.
Turn off the smug mode please.
RE: Opera users
WOW! so basically the difference between firefox and opera is that in firefox if it gets the revocation list it will warn you and get you to jump through hoops to access the site, and in opera it will just not change the icon next to the URL!
that's amazing and will obviously really help normal users!
Erm
Odd, I'm the only person I know who runs Opera on their PC, wouldn't consider us normal users therefore impossible to turn off smug mode :(
blocked revocations
then Opera can also turn off the entire CA without users needing to download anything either... No rash and rushed updates like Chrome and Firefox that ***MIGHT*** catch all the bad certs, and if not another update tomorrow that ****MIGHT** catch a few more...
The point is, yes Opera is revocation based, but it also the ONLY browser that downgrades the cert if there is a blocked revocation URL
"Some browsers will present a site as secure if the revocation URL is blocked,
Opera will downgrade the security level of the site to the same as any other regular web page in such unverified cases, which means that once a certificate is revoked by the issuer, it cannot be abused in Opera, even if the revocation URL is blocked. The most an attacker can do, is the same as he could without a certificate."
Re: RE: Opera users
For Opera, failure to download CRL or get a OCSP response is a connection grade changed to that of unsecured HTTP.
With firexox, chrome and IE it's business as usual. IE doesn't check revocation data even for EV certificates.
Scrub the lot
They know they've been hacked, but they refuse to give a full list of what fake certificates have been issued? Then untrusting all certificates issued by them is the only safe option.
Tough luck on them - letting themselves be hacked is incompetent, but letting known fake certificates circulate is grossly irresponsible.
Or just add Honest Achmed
https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Reporting about CAs CRL and revocations is red herring
grepping through their CRL from Jan 2011 to current (see pastbin example: http://pastebin.com/EaJJt1Yj:
Revocations per month
Jan 431
Feb 335
Mar 353
Apr 278
May 353
Jun 53
Jul 155
Aug 311
Current as of 20:15 GMT 2011
Interesting bit
The interesting bit is the Chromium list, what are the over 200 certificates for?! It's more than even the DigiNotar revoked themselves.
Browsers should have treated OCSP or CRL failure as certificate revoked for a long time already, it's not like the CAs don't have the money to run servers...
wrong solution
The CA's are already running servers, but users are too impatient to wait for the browser to check every certificate in the chain and therefore, by default, most browsers disable this checking.
Does this does mean is that instead of using a website to check my installed ssl certificates, I can just use Opera? If so, that will save me quite a bit of hassle.
This topic is closed for new posts.
