Startcom
Startcom's website admitted a breach a few months ago, and their service was offline for some time as a result... Perhaps this was the same attack?
An internet user with proven ties to the DigiNotar hack claims he stole email, customer data and other sensitive data from two competing web authentication authority that will be released publicly soon. In a statement posted Thursday, an individual calling himself Comodohacker expanded on previous claims that he breached the …
... sponsored by the Iranian government, then the CAs can say "We were not breached by one person with too much time on their hands because we are incompetent; we are under attack from a hostile, state under sanctions from the UN!!1!1!oneone... Send in the bombers!"
It's state sponsored in the same way the comodo breaches were: the IP provided by Comodo was involved with the breaches. Thing is, its user used a video how to site to learn about MITM and downloaded sslsniff from Moxie Marlinspike website leaving a HTTP referrer...
Remember, to a CEO, any computer user that knows WinKey+R opens Run dialog and "cmd" is the shell executable is "sophisticated".
Whole CA business is a security theater, now we finally see that the gold is painted and mahogany is made from pine wood.
"claims Microsoft made Monday that fraudulently issued certificates for domains including *.microsoft.com and *.windowsupdate.com could *NOT* be used to hijack Microsoft's security update system."
And I think Microsoft is right in that the certificate isn't enough, you also have to bend DNS or bend the network to make PCs communicate with your evil server instead of the real one.
And I think it's still illegal to supply Microsoft Windows or other American software to Iran anyway, which logically would also include Windows updates. I've been expecting that that'd be the next law case against Linux, whose licence doesn't include that rule.
If we believe Microsoft's claim that updates have to be signed by the Microsoft root CA, then even persuading clients to talk to your fraudulent server wouldn't be enough to hijack Windows Update.
And this is a *very* plausible claim. In fact, I'd be quite shocked if it weren't true.
Remember, to a CEO, any computer user that knows WinKey+R opens Run dialog and "cmd" is the shell executable is "sophisticated".
***
Really priceless quote.
PKI has been hamstrung by the "good enough" approach long enough, as have been most parts of the Internet infrastructure. The mere mention of "you also have to bend DNS" immediately brought to mind the cache poisoning exploit discovered 3 years ago. In that case the most troubling quote I saw was from Kaminsky himself, when he said, "this is how the Internet works."