back to article Google tells Iranians: Change your Gmail password

Google has issued a blanket instruction advising Iranian users to check if their Gmail accounts might have been hacked as well as to change their passwords. The move follows the compromise of Dutch SSL certificate authority DigiNotar. Hackers created fake SSL certificate credentials for Google.com and many other domains. These …

COMMENTS

This topic is closed for new posts.

Fake Certificates?

Why does the media keep saying "fake" certificates? The Register should know better. The certificates were very much real, only that they were given to the wrong people.

To say the certificates were fake is to suggest someone was able to create DigiNotar certificates of their own rather than what actually happened was they convinced DigiNotar to create erroneous certificates.

If you convince NYPD to issue you a badge then while you may be a fake cop the badge is still very real.

5
2
Anonymous Coward

A fake Rolex

Is a watch that looks like a Rolex - but upon closer examination isn't, similar to the implied status of the wearer that in fact isn't what it appears.

So yes, these are fake certificates: the trust implied is in fact misplaced.

5
2
Silver badge

trust implied?

Trust implied by whom? IE, FF, Ch, Op? DigiNotar? Vasco? Or the current implementation?

What would break if Microsoft, Mozilla, Google and Opera forced OCSP checking? would the CA's responders be able to handle the traffic?

0
0
FAIL

Fake real

So if I wear a real Rolex, but lie about who I am, that makes the watch a fake?

*Confused*

0
0
Silver badge

A better analogy

If Rolex is supplying watches to Bob's Watch Shop and I tell Rolex that I work for Bob and Rolex gives me some Rolexes then they are not fake Rolexes.

0
0
Silver badge

Kinda fake

IIRC the 'hackers' actually forged their own certs using DigiNotar's CA, isn't this the case? There were no clueless DigiNotar dudes actually giving away www.google.com certs. The forged certs would probably fail an OCSP check, so they're "fake" for all purposes.

2
0
Thumb Up

Only one rule to remember

You wear a real Rolex?

You are a fake human being.

0
0
Big Brother

Two Factor Authentication

Also, once you feel you're regained control of your account Google's two factor authentication is well worth considering.

http://www.theregister.co.uk/2011/02/10/gmail_2_factor_authentication/

2
0
Silver badge

@Two Factor Authentication

" in that uses one-time passwords transmitted over mobile or land-line phones."

So to log in to Gmail from Iran (or China or the UK) you get a secure encrypted https session and this is secured by an in-the-clear text message sent over the Iranian state cell phone network by the Iranian state owned cell phone company to your handset ?

1
0
Anonymous Coward

@Two Factor Authentication

The point is it's a *one-time* password. They may have your regular password but will not be able to log in in the future with just that...

0
0

@Two Factor Authentication

I see your issue if that's the technique you're using. However, something like the authentication app for Android (and I assume there are other platforms) doesn't use a connection and works as a one time pad. It will continually generate a new authentication code every thirty seconds in sync with Google's servers. Without the seed value it can't be mimicked.

Alternatively, once you're logged in you can generate a printable list of one use codes. A handy low tech solution, even if it does need updating every dozen times or so.

0
0
This topic is closed for new posts.

Forums