Google has issued a blanket instruction advising Iranian users to check if their Gmail accounts might have been hacked as well as to change their passwords. The move follows the compromise of Dutch SSL certificate authority DigiNotar. Hackers created fake SSL certificate credentials for Google.com and many other domains. These …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 9th September 2011 13:44 GMT David Kelly 2

Fake Certificates?

Why does the media keep saying "fake" certificates? The Register should know better. The certificates were very much real, only that they were given to the wrong people.

To say the certificates were fake is to suggest someone was able to create DigiNotar certificates of their own rather than what actually happened was they convinced DigiNotar to create erroneous certificates.

If you convince NYPD to issue you a badge then while you may be a fake cop the badge is still very real.

5 2
1. Friday 9th September 2011 14:28 GMT Anonymous Coward
  
  A fake Rolex
  
  Is a watch that looks like a Rolex - but upon closer examination isn't, similar to the implied status of the wearer that in fact isn't what it appears.
  
  So yes, these are fake certificates: the trust implied is in fact misplaced.
  
  5 2
  1. Friday 9th September 2011 17:28 GMT Anonymous Coward
    
    trust implied?
    
    Trust implied by whom? IE, FF, Ch, Op? DigiNotar? Vasco? Or the current implementation?
    
    What would break if Microsoft, Mozilla, Google and Opera forced OCSP checking? would the CA's responders be able to handle the traffic?
    
    0 0
  2. Saturday 10th September 2011 00:01 GMT David 30
    
    Fake real
    
    So if I wear a real Rolex, but lie about who I am, that makes the watch a fake?
    
    *Confused*
    
    0 0
    1. Monday 12th September 2011 11:52 GMT Ian Halstead
      
      Only one rule to remember
      
      You wear a real Rolex?
      
      You are a fake human being.
      
      0 0
  3. Saturday 10th September 2011 00:05 GMT Craigness
    
    A better analogy
    
    If Rolex is supplying watches to Bob's Watch Shop and I tell Rolex that I work for Bob and Rolex gives me some Rolexes then they are not fake Rolexes.
    
    0 0
2. Saturday 10th September 2011 10:28 GMT Daniel B.
  
  Kinda fake
  
  IIRC the 'hackers' actually forged their own certs using DigiNotar's CA, isn't this the case? There were no clueless DigiNotar dudes actually giving away www.google.com certs. The forged certs would probably fail an OCSP check, so they're "fake" for all purposes.
  
  2 0
Friday 9th September 2011 14:26 GMT Bakunin

Two Factor Authentication

Also, once you feel you're regained control of your account Google's two factor authentication is well worth considering.

http://www.theregister.co.uk/2011/02/10/gmail_2_factor_authentication/

2 0
Friday 9th September 2011 17:28 GMT Yet Another Anonymous coward

@Two Factor Authentication

" in that uses one-time passwords transmitted over mobile or land-line phones."

So to log in to Gmail from Iran (or China or the UK) you get a secure encrypted https session and this is secured by an in-the-clear text message sent over the Iranian state cell phone network by the Iranian state owned cell phone company to your handset ?

1 0
1. Saturday 10th September 2011 00:09 GMT Anonymous Coward
  
  @Two Factor Authentication
  
  The point is it's a *one-time* password. They may have your regular password but will not be able to log in in the future with just that...
  
  0 0
2. Monday 12th September 2011 10:10 GMT Bakunin
  
  @Two Factor Authentication
  
  I see your issue if that's the technique you're using. However, something like the authentication app for Android (and I assume there are other platforms) doesn't use a connection and works as a one time pad. It will continually generate a new authentication code every thirty seconds in sync with Google's servers. Without the seed value it can't be mimicked.
  
  Alternatively, once you're logged in you can generate a printable list of one use codes. A handy low tech solution, even if it does need updating every dozen times or so.
  
  0 0