Google tells Iranians: Change your Gmail password
Google has issued a blanket instruction advising Iranian users to check if their Gmail accounts might have been hacked as well as to change their passwords. The move follows the compromise of Dutch SSL certificate authority DigiNotar. Hackers created fake SSL certificate credentials for Google.com and many other domains. These …
This topic is closed for new posts.
Fake Certificates?
Why does the media keep saying "fake" certificates? The Register should know better. The certificates were very much real, only that they were given to the wrong people.
To say the certificates were fake is to suggest someone was able to create DigiNotar certificates of their own rather than what actually happened was they convinced DigiNotar to create erroneous certificates.
If you convince NYPD to issue you a badge then while you may be a fake cop the badge is still very real.
A fake Rolex
Is a watch that looks like a Rolex - but upon closer examination isn't, similar to the implied status of the wearer that in fact isn't what it appears.
So yes, these are fake certificates: the trust implied is in fact misplaced.
trust implied?
Trust implied by whom? IE, FF, Ch, Op? DigiNotar? Vasco? Or the current implementation?
What would break if Microsoft, Mozilla, Google and Opera forced OCSP checking? would the CA's responders be able to handle the traffic?
Fake real
So if I wear a real Rolex, but lie about who I am, that makes the watch a fake?
*Confused*
A better analogy
If Rolex is supplying watches to Bob's Watch Shop and I tell Rolex that I work for Bob and Rolex gives me some Rolexes then they are not fake Rolexes.
Kinda fake
IIRC the 'hackers' actually forged their own certs using DigiNotar's CA, isn't this the case? There were no clueless DigiNotar dudes actually giving away www.google.com certs. The forged certs would probably fail an OCSP check, so they're "fake" for all purposes.
Only one rule to remember
You wear a real Rolex?
You are a fake human being.
Two Factor Authentication
Also, once you feel you're regained control of your account Google's two factor authentication is well worth considering.
http://www.theregister.co.uk/2011/02/10/gmail_2_factor_authentication/
@Two Factor Authentication
" in that uses one-time passwords transmitted over mobile or land-line phones."
So to log in to Gmail from Iran (or China or the UK) you get a secure encrypted https session and this is secured by an in-the-clear text message sent over the Iranian state cell phone network by the Iranian state owned cell phone company to your handset ?
@Two Factor Authentication
The point is it's a *one-time* password. They may have your regular password but will not be able to log in in the future with just that...
@Two Factor Authentication
I see your issue if that's the technique you're using. However, something like the authentication app for Android (and I assume there are other platforms) doesn't use a connection and works as a one time pad. It will continually generate a new authentication code every thirty seconds in sync with Google's servers. Without the seed value it can't be mimicked.
Alternatively, once you're logged in you can generate a printable list of one use codes. A handy low tech solution, even if it does need updating every dozen times or so.
This topic is closed for new posts.
