An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.
The certificate authority, India's National Informatics Centre, is not trusted by browsers and operating systems from vendors other than Microsoft. Cryptographic certificates in the "root of trust" for your operating system and browsers are implicitly trusted, and rogue certificates can be used to eavesdrop on your communications, trick you into installing malicious software, and otherwise attack the integrity of your system.
The problem of rogue certificate authorities is an important one, and I wrote a paper for Nature with Google's Ben Laurie on "Certificate Transparency," Google's initiative to quickly detect rogue certificates in the wild and identify the bad actors who issue them.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.
We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.
On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.
Maintaining digital certificate security [Adam Langley/Google Online Security]
(via Hacker News)
The new data-sharing rules enacted by the Obama administration will allow the NSA to lawfully share the unredacted, full take of its surveillance databases with sixteen other US government agencies — meaning that, for example, Trump’s door-to-door deportation squads could use that data to figure out who’s doors to break down, and his Muslim surveillance […]
Kamala Harris was just sworn in as a senator from California, but her last gig was as California’s Attorney General, and in that role, she decided not to prosecute Trump Treasury Secretary pick Steve Mnuchin, whom her office had identified as presiding over “widespread misconduct” in foreclosing on Californians — that is, stealing their houses.
Update: They’ve backed down because Trump warned them it would be a distraction from taking away healthcare and giving tax cuts to rich people. The independent Office of Congressional Ethics — created in 2008 after three Congressmen were jailed for corruption — has been stripped of its powers by the House GOP, who held an […]
Computer hacking isn’t just something happening to the DNC. Major software companies need white-hat hackers to ensure the security of their products and users, and I came across a Computer Hacker Professional Certification Package that conveniently teaches those advanced IT techniques online.This course package will prepare you for various computer security certification exams with over 60 hours […]
One of the best ways to progress a career in project management is through earning recognized certifications. These certifications carry significant clout and don’t require expensive tuition or student loans. This Ultimate Project Management Certification Bundle is a great example of an affordable way to get ahead. It includes training for 9 certifications including PMP, […]
There’s nothing quite like the rush of playing against a real human opponent. But from a developer standpoint, creating fun multiplayer experiences is incredibly complex. Fortunately, the Unity3D game engine has made all aspects of game creation, including multiplayer functionality, as accessible as ever.This Unity Course Bundle introduces all of the necessary elements of creating […]