back to article Did Google certificate forgers hit hundreds more sites?

The hack attack that minted a fraudulent authentication credential for Google.com may have affected hundreds of other websites, a review of source code for Google's Chromium browser suggests. A side-by-side review comparing code contained in an upcoming version of Chrome increased the number of secure sockets layer certificates …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Opera users

    automatically protected no application update needed.

    http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2

    1. Ragarath
      FAIL

      Erm...

      But for the automatic blocking to work you have to "hope" that the issuing CA has revoked all the certificates (can you say for sure all the fake ones have been revoked?) and that the CA can be trusted to do so in a timely manner.

      Turn off the smug mode please.

      1. Anonymous Coward
        FAIL

        blocked revocations

        then Opera can also turn off the entire CA without users needing to download anything either... No rash and rushed updates like Chrome and Firefox that ***MIGHT*** catch all the bad certs, and if not another update tomorrow that ****MIGHT** catch a few more...

        The point is, yes Opera is revocation based, but it also the ONLY browser that downgrades the cert if there is a blocked revocation URL

        "Some browsers will present a site as secure if the revocation URL is blocked,

        Opera will downgrade the security level of the site to the same as any other regular web page in such unverified cases, which means that once a certificate is revoked by the issuer, it cannot be abused in Opera, even if the revocation URL is blocked. The most an attacker can do, is the same as he could without a certificate."

    2. Jad
      Stop

      RE: Opera users

      WOW! so basically the difference between firefox and opera is that in firefox if it gets the revocation list it will warn you and get you to jump through hoops to access the site, and in opera it will just not change the icon next to the URL!

      that's amazing and will obviously really help normal users!

      1. Captain Scarlet Silver badge
        Angel

        Erm

        Odd, I'm the only person I know who runs Opera on their PC, wouldn't consider us normal users therefore impossible to turn off smug mode :(

      2. Tomato42
        FAIL

        Re: RE: Opera users

        For Opera, failure to download CRL or get a OCSP response is a connection grade changed to that of unsecured HTTP.

        With firexox, chrome and IE it's business as usual. IE doesn't check revocation data even for EV certificates.

  2. Christoph
    Stop

    Scrub the lot

    They know they've been hacked, but they refuse to give a full list of what fake certificates have been issued? Then untrusting all certificates issued by them is the only safe option.

    Tough luck on them - letting themselves be hacked is incompetent, but letting known fake certificates circulate is grossly irresponsible.

  3. Yet Another Anonymous coward Silver badge

    Or just add Honest Achmed

    https://bugzilla.mozilla.org/show_bug.cgi?id=647959

  4. Anonymous Coward
    Holmes

    Reporting about CAs CRL and revocations is red herring

    grepping through their CRL from Jan 2011 to current (see pastbin example: http://pastebin.com/EaJJt1Yj:

    Revocations per month

    Jan 431

    Feb 335

    Mar 353

    Apr 278

    May 353

    Jun 53

    Jul 155

    Aug 311

    Current as of 20:15 GMT 2011

    1. Tomato42
      Unhappy

      Interesting bit

      The interesting bit is the Chromium list, what are the over 200 certificates for?! It's more than even the DigiNotar revoked themselves.

      Browsers should have treated OCSP or CRL failure as certificate revoked for a long time already, it's not like the CAs don't have the money to run servers...

      1. Anonymous Coward
        Anonymous Coward

        wrong solution

        The CA's are already running servers, but users are too impatient to wait for the browser to check every certificate in the chain and therefore, by default, most browsers disable this checking.

        Does this does mean is that instead of using a website to check my installed ssl certificates, I can just use Opera? If so, that will save me quite a bit of hassle.

This topic is closed for new posts.

Other stories you might like