The question that needs to be asked ...
Is have those iranian gmail users been notified that their account may have been comrpomised, and have they been made to change pass words?
The Google webmail of as many as 300,000 Iranians may have been intercepted using fraudulently issued security certificates made after a hack against Dutch certificate authority outfit DigiNotar, according to the preliminary findings of an official report into the megahack. Fox-IT, the security consultancy hired to examine the …
IF what I am reading is correct there are no passwords being hacked here. The issue is unfortunately much much worse. The hacker is able to act as a middle man and with a legit SSL cert appear can easily act as a middle man and look completely legit. Changing your password won't make a difference. It's sad that such organizations are able to pick up exactly where they left off. The only real solution I can think of is to use a tool like convergence (I think that's the name) where the cert your using will be validated against a cert organization of you choosing and not by the site itself. Even then I am not sure this would completely solve this type of attack.
Unless the Beeb or Sky fill the news channels with this, ignorance will ensure continued trust of systems the average user does not understand. How deep is the hole? depends on whether you take the red or blue pill. But which pill do the media offer up to you?
Trust, I would love to share it with you, but how can I trust you when I fear to trust myself as my much of my knowledge is based on the information I receive from those with an agenda that may well be incompatible with mine?
Honesty, integrity and truth are indeed absolutes but they can be severely distorted, hidden or presented in a contradictory light by little more than greed.
How is it that any-old-CA can issue a cert for a particular domain if a) some other CA has issued one or b) the requester doesn't control the domain? If I went to a domain registrar and tried to register google.com I'd be told that it was already registered. How come something similar doesn't happen with SSL certs? Surely building in some form of link to the domain registration shouldn't be too tricky? i.e. if someone wants to register an ssl for google.com then there has to be some form of authorisation from the google.com domain holder?
The check that stops you asking for a Google certificate is a manual one not automatic. The hackers were able to get admin access to the servers issuing certificates. So they just issued them, by-passing the manual check.
There is nothing the browser can do (e.g. checking the root authority of the new Google cert against the root authority of the previous Google cert) because changing CA is a reasonable thing for site owners to want to do.
There normally are systems in place to prevent exactly what you described (when we last renewed our certificates we had to, among other things, prove that the domain we wanted the certificates for belonged to us) but this is on the front end for customers.
Technically there is nothing to stop any CA issuing certificates for any old domain, it is only their policy and procedure (and the programming of the ordering system) that stops it happening. Once you have hacked into the back-end of a CA with access to sign certificates 'manually' (i.e. not as a customer) you can do what you want.
Also, DNSSEC 'solves' this problem by putting the SSL certificate in the DNS (if you control the DNS you control the domain. Even if you can make new valid certificates you can't put them into the DNS without control of the domain [or compromising the DNS provider ;])
Paris just because...
"...you can't put them into the DNS without control of the domain [or compromising the DNS provider ;])"
Of course if this certificate was cut for man-in-the-middle attacks, it means that they already compromised the DNS provider to point blah.google.com to their man-in-the-middle server. But I assume that you already knew that, and hence the 'solves' and the ;]
a) So if the browser is talking to blah.google.com and receives a certificate issued by a CA, how does it know if any other servers in google.com have certificates from a different CA?
b) The certificate is created by doing some maths using the private key of the CA, the name of the CA, the servers name and the public key to talk to the server. The maths doesn't know or care anything who the server says it is or if it should. Once you have access to the algorithm and the private key of the CA, you can cut any keys you want.
"The Google webmail of as many as 300,000 Iranians may have been intercepted using fraudulently issued security certificates ..."
Meanwhile who knows how many Americans (& others) have had their webmail intercepted because the wonderous security services of the US have their fingers in all the pies?
Have you considered that DigiNotar has outed and facilitates accommodation and quarantine of right dodgy and decidedly designedly left of centre DODGI Cyber Security Space certificates ?
For Real SMART IntelAIgents in Great Game Plays. .... dDutch Bilderberg Renderings ...... Global BroadBandCasts.
Spooks in Clogs .... Now there's a Paradox and AI Parallel Dimension Hosting Portal.
Now that is a Stirling Virtual Machine of Magical Source Intellectual Property.
For Bigger Beta Picture Windows Wizards attending to the Bewitched at their Pleasure, Delivering Treasures.
And why not quite possibly also Private and Pirate Azure Cloud Phormations.
Sorry to be so plainly cryptic but present needs must in order to gain initiative response to Life in LOVE Worlds.
And that question to Microsoft, AI/MIVD.
"Vasco does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans,"
The arrogance from these people continues to astound me.
But surely I am not the only one thinking that if I where in the market for a SSL product, this is now the very last company I would approach?
DigiNotar basically had it coming. Early results of an ongoing investigation apparently showed that they were working with outdated software on their servers and that several office PCs weren't running any form of anti virus software what so ever.
Assuming all of that is true I can't really consider it a surprise that eventually stuff went wrong.
Which makes me wonder how well a government (Dutch government in this case) actually screens and checks companies before doing business with them.
.... and neither is AIDeveloped Vetting of Better Certain Winners in a Sea of Deep Oceans teeming with All Manner of Sad and Sorry, Mad and Bad Smartassed Losers ...... just Phishing.
"Which makes me wonder how well a government (Dutch government in this case) actually screens and checks companies before doing business with them." ... ShelLuser Posted Tuesday 6th September 2011 16:31 GMT
Well enough and long enough for any really smart novel venture checking out their facilities for necessary abilities and future growth development potential to ponder on the need for novel smart ventures to set up Global Communications Head Quarters in other Intellectual Property Areas in Foreign Jurisdictions....... although knowing the Dutch as they are, will that be best treated as just a fleeting thought to be considered unnecessary, as it will be covered by subsequent satellite operations and field missions.
"Vasco does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans,"
Revenue at the moment. Zero (other than the suicidally incompetent)
Revenue in the future. Zero. (other than the suicidally incompetent.)
I could write press releases/be an 'analyst' see ?
Quite a few press items on this seem to gently imply this being Iran spying on Iran.
As much as I'd like to believe that, given tensions between the West and Iran, and the hypothesis that Stuxnet originated in the US, I can't help but wonder if there is some clever mis-direction going on!
I can't stop myself from ignoring these stories like cold war stuff. Next we will hear Iranians eat their babies etc.
It is also impossible for tech media to do on scene, with actual reporters talking to both sides reporting. Nobody can explain the expense required while the story is right there, at Reuters feed.
I am not saying Iran or China doesn't play evil games, it is just we don't really hear the whole story. For example, you read how evil Chinese firewall and wiretapping is and yet you don't hear who has such technology to cope with petabytes of data realtime.
These new breed of script kiddies makes me wonder. They are either stupid, ignorant or they are acting like some lamer while they are supported/protected by a government.
Not every country is civilized like Holland nor company is clean like Comodo. Some countries and companies have tendency to carry these online issues to offline, real World and they don't really have any kind of limit or any "human" feelings.
You know, what happened to that bot army owner after governments figured he actually has a super computer under his command. Found dead, for mysterious reasons.
These are not script kiddies installing r57.php via Joomla driveby.
These are the kind of people I dread to find on my servers and this only because they wanted me to.
And who was that bot herder who died? Wouldn't surprise me; these circles are shady and not filled with nice people. I remember the story of the german carder dude who suicided out of the blue in a public park. Hagbard was it?
I have seen him chat to F-Secure boss via a centralised service like twitter. Hyponen has some amazing ethics of course but what about the other parties? Only a script kiddie who looks for popularity would act that way or, he (or the team) is a complete pro who manages to convince people that these are random lame attacks.
About that dead botnet guy, of course he is one we know:
it.slashdot.org/article.pl?sid=05/07/25/1745212
I try to convince people that they are actually dealing with mafia once they get into such schemes without luck. Of course, it could be some old fashion mob murder but it is particularly interesting that he was murdered after a story appeared talking about top500 class supercomputer under his hand actually doing nothing like spamming or phishing. If a botnet doesn't do the usual spam,phish,dos attacks and it is in size of millions, it is the time to panic.
This post has been deleted by its author