back to article Google tells Iranians: Change your Gmail password

Google has issued a blanket instruction advising Iranian users to check if their Gmail accounts might have been hacked as well as to change their passwords. The move follows the compromise of Dutch SSL certificate authority DigiNotar. Hackers created fake SSL certificate credentials for and many other domains. These …


This topic is closed for new posts.
  1. David Kelly 2

    Fake Certificates?

    Why does the media keep saying "fake" certificates? The Register should know better. The certificates were very much real, only that they were given to the wrong people.

    To say the certificates were fake is to suggest someone was able to create DigiNotar certificates of their own rather than what actually happened was they convinced DigiNotar to create erroneous certificates.

    If you convince NYPD to issue you a badge then while you may be a fake cop the badge is still very real.

    1. Anonymous Coward
      Anonymous Coward

      A fake Rolex

      Is a watch that looks like a Rolex - but upon closer examination isn't, similar to the implied status of the wearer that in fact isn't what it appears.

      So yes, these are fake certificates: the trust implied is in fact misplaced.

      1. Anonymous Coward
        Anonymous Coward

        trust implied?

        Trust implied by whom? IE, FF, Ch, Op? DigiNotar? Vasco? Or the current implementation?

        What would break if Microsoft, Mozilla, Google and Opera forced OCSP checking? would the CA's responders be able to handle the traffic?

      2. David 30

        Fake real

        So if I wear a real Rolex, but lie about who I am, that makes the watch a fake?


        1. Ian Halstead
          Thumb Up

          Only one rule to remember

          You wear a real Rolex?

          You are a fake human being.

      3. Craigness

        A better analogy

        If Rolex is supplying watches to Bob's Watch Shop and I tell Rolex that I work for Bob and Rolex gives me some Rolexes then they are not fake Rolexes.

    2. Daniel B.

      Kinda fake

      IIRC the 'hackers' actually forged their own certs using DigiNotar's CA, isn't this the case? There were no clueless DigiNotar dudes actually giving away certs. The forged certs would probably fail an OCSP check, so they're "fake" for all purposes.

  2. Bakunin
    Big Brother

    Two Factor Authentication

    Also, once you feel you're regained control of your account Google's two factor authentication is well worth considering.

  3. Yet Another Anonymous coward Silver badge

    @Two Factor Authentication

    " in that uses one-time passwords transmitted over mobile or land-line phones."

    So to log in to Gmail from Iran (or China or the UK) you get a secure encrypted https session and this is secured by an in-the-clear text message sent over the Iranian state cell phone network by the Iranian state owned cell phone company to your handset ?

    1. Anonymous Coward
      Anonymous Coward

      @Two Factor Authentication

      The point is it's a *one-time* password. They may have your regular password but will not be able to log in in the future with just that...

    2. Bakunin

      @Two Factor Authentication

      I see your issue if that's the technique you're using. However, something like the authentication app for Android (and I assume there are other platforms) doesn't use a connection and works as a one time pad. It will continually generate a new authentication code every thirty seconds in sync with Google's servers. Without the seed value it can't be mimicked.

      Alternatively, once you're logged in you can generate a printable list of one use codes. A handy low tech solution, even if it does need updating every dozen times or so.

This topic is closed for new posts.

Other stories you might like