Rogue Google SSL Certificate Found in the Wild

[jamescv7]

A rogue Google SSL certificate issued by DigiNotar, a Certificate Authority (CA) based in the Netherlands, was found in the wild being used in a man-in-the-middle attack against Gmail users.

The certificate was spotted by an Iranian user when he tried to access Gmail thanks to an error displayed by Google Chrome.

The certificate was issued for *.google.com by DigiNotar on July 10, 2011, which means it could have been used for attacks against most Google services for over 5 weeks until it was revoked by the Dutch CA.

This is a major security breach in the public key infrastructure (PKI) which relies on root Certificate Authorities to issue certificates that identify domain names.

Serious questions about the security of the CA-based model have been raised back in March when an Iranian hacker managed to break into a Comodo reseller and issue rogue certificates for many high-profile websites.

Read More

 

[Deleted member 178]

lot of google issues lately...

 

[HeffeD]

lot of google issues lately...

The bigger the target is, the more people will try to attack it.

But I'm assuming you know the issued certificate is no fault of Google's?

 

[Hungry Man]

No, not Google's fault. And a browser update is enough to fix this (actually Chrome users are already immune to this.)

This also needs the attacker to have control of either:
Your computer
Your DNS server
Your ISP
Your Router

or something that is "in the middle" of you and google.com

EDIT: This would effect people using insecure networks but in that case all anyone has to use is sslstripper.

 

[jamescv7]

Since DigiNotar was not one of those associated with Gmail, Chrome issued a SSL error which prompted the Iranian user to investigate. Google has alerted Microsoft, Mozilla and other vendors that trust certificates from DigiNotar by default.

All of the three vendors have issued or plan to issue updates for their products that completely remove DigiNotar from the list of trusted CAs, an unprecedented measure hailed by the security community.

Hopefully this issue will be solve since its plan to make an update to remove the certificate.

 

[HeffeD]

It's interesting to note that in the initial response from DigiNotar, they said they didn't forsee any monetary impact from this. Well, if Google, Microsoft, and Mozilla are all blacklisting them, it's very definitely going to have an impact on their bottom line...

 

[Deleted member 178]

but I'm assuming you know the issued certificate is no fault of Google's?

yes we know, almost same as comodo reseller before: but the user lambda may not know.

 

[Hungry Man]

It's interesting to note that in the initial response from DigiNotar, they said they didn't forsee any monetary impact from this. Well, if Google, Microsoft, and Mozilla are all blacklisting them, it's very definitely going to have an impact on their bottom line...

It's only a temporary blacklist I assume. And chances are they provide certs for hundreds of sites.

 

[Ramblin]

No, not Google's fault. And a browser update is enough to fix this (actually Chrome users are already immune to this.)

Firefox just did it, by releasing FF 6.0.1.

Bo

 

[illumination]

Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

Google has blacklisted over 200 certificates seemingly related to the DigiNotar hacking incident. What is the full extent of this breach, and who else may have been targeted?
Read More

 

[jamescv7]

RE: Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

Probably Google are making sure that the certificates are really to be trusted. Since new certificates needs to be verified.

 

[Deleted member 178]

RE: Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

a least they reacted fastly.

 

[Ink]

RE: Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

(Y)

Firefox releases 6.0.1 to:

• Revoked the root certificate for DigiNotar due to fraudulent SSL certificate issuance (see bug 682927 and the security advisory)

 

[HeffeD]

It's only a temporary blacklist I assume. And chances are they provide certs for hundreds of sites.

Yes, but even so, it's a major black eye for the CA!

It has already come to light that by disallowing the DigiNotar root, they've killed some certs issued to the Dutch government. :blush:

 

[Jack]

RE: Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

Again this Iranian hackers??
The main issue here is not as much thata fraudulent SSL certificates were issued,but that nobody didn't noticed anything for 40 days.

 

[HeffeD]

RE: Google blacklists 247 certificates. Is it related to DigiNotar hacking incident?

Again this Iranian hackers??
The main issue here is not as much that a fraudulent SSL certificate were issued,but that nobody didn't noticed that for 40 days.

Absolutely! Comodo's reseller noticed the problem with their falsely issued certificate and revoked them within hours. 40 days is ridiculous... :s

Also interesting, when the Comodo reseller incident occurred, nobody believed them about the Iranian angle. Now apparently they do.

 

[jamescv7]

Seems its like a coincidence, before it was an Iranian hacker about the issue on certificates with Comodo then now an Iranian user spotted the Rogue SSL Certificate.

 

[Jack]

Why would Iranian hackers be interested in Gmail users .. there are no real valuable information in most email accounts...It would make sense to target them if you were lets say, a government authority and were trying to find dissidents or spies.. Just saying....
The CA's need to be held responsible for this certificates, its their job to properly secure them.

Related videos:

BlackHat USA 2011: SSL And The Future Of Authenticity

In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have more recently started to cause real problems.

This talk will provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some potential strategies for the future. It will conclude with a software release that aims to definitively fix the disintegrating trust relationships at the core of this fundamental protocol.

---

Why Internet users cannot completely trust certifications

Recent events have highlighted that certification -- and the lack of accountability in signing files, code signing or SSL certificates -- have become a major security issue affecting the Internet. Watch F-Secure's Mikko Hyppönen, Chief Research Officer, and Sean Sullivan, Security Advisor, discussing on this topic.

 

[HeffeD]

Seems its like a coincidence, before it was an Iranian hacker about the issue on certificates with Comodo then now an Iranian user spotted the Rogue SSL Certificate.

No coincidence. An Iranian user noticed it because it mainly affected users in Iran. (Which would imply something to do with the Iranian government being behind this...)

Google has also said Iran is behind this latest certificate fraud.

 

[Hungry Man]

Hacking a cetificate is unnecessary for a man in the middle attack unless you need to be "far away" from the victim in terms of your connection - ie: being in control of their DNS rather than their router.

If I'm at a starbucks sitting around with a bunch of people I sure as hell don't need to hack myself a certificate in order to perform man in the middle attacks.