Not all Certificates are Created Equal

http://www.networkworld.com/news/2011/090911-google-contacts-iranian-users-to-250653.html

The certificate authority (CA) DigiNotar was recently involved in a case that made their certificates malicious. DigiNotar failed to go through the proper channels of contact to notify companies such as Mozilla, Google, and Microsoft, who all run web browsers that “trust” certificates signed by numerous publishers. Previously, browsers would automatically accept certificates signed by DigiNotar, however their lack of communication has caused them to be blacklisted by most browsers.

This certificate problem originated in Iran, where the government was spoofing citizens’ requests to pages like Google and Microsoft. Even though the users connection to these sites was secure, the government regained control of the certificates, thus allowing them to snoop on citizens web traffic. This is basically a Man in the Middle Attack.

Google has notified approximately 300,000 account-holders in Iran about this issue and encouraging them to change their password.

This is a smart move, but obviously a required move on Google’s part, and I believe the blacklisting of DigiNotar certificates was the best course of action. We take the lock-icon and https:// in our web browsers for granted, but this entire incident shows us what can happen when hacking and lack of communication collide.

Advertisements