An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.
The certificate authority, India's National Informatics Centre, is not trusted by browsers and operating systems from vendors other than Microsoft. Cryptographic certificates in the "root of trust" for your operating system and browsers are implicitly trusted, and rogue certificates can be used to eavesdrop on your communications, trick you into installing malicious software, and otherwise attack the integrity of your system.
The problem of rogue certificate authorities is an important one, and I wrote a paper for Nature with Google's Ben Laurie on "Certificate Transparency," Google's initiative to quickly detect rogue certificates in the wild and identify the bad actors who issue them.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.
We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.
On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.
Maintaining digital certificate security [Adam Langley/Google Online Security]
(via Hacker News)
Following from Wells Fargo’s 2,000,000-account fraud against its own customers — part of a decade-old pattern — the state of California has imposed sanctions on the bank, freezing it out of bond issues, brokerage business, and suspending all investment in Wells Fargo-issued securities.
Wells Fargo’s Board of Directors have finally exercised their right to claw back part of the hundreds of millions of dollars taken home by two senior executives who were compensated on the basis of the fraudulent earnings the bank took in while opening 2,000,000 secret accounts in their customers’ names, taking money out of those […]
When four named whistleblowers came forward to reveal that they’d been illegally fired from Wells Fargo for reporting that the company was experiencing widespread fraud, it was deja vu all over again: Wells also punished whistleblowers who sounded the alarm during the subprime crisis, and was thus so totally compromised that they needed a $36B […]
Vaping is getting more mainstream by the day, which means there’s been an influx of quality yet affordable vaporizers on the market. We’re particularly excited about the APX Wax Vaporizer Kit, which is an easy-to-use, high-quality vape that works with both dry herbs and waxy concentrates.If you’re a beginner trying to get into vaping, the APX […]
When you’ve had a long day and it’s time to unwind, there’s a lot you can do to relax: drink some tea, take a shower or even read a book. But there’s one thing that’s essential to a comfortable night’s rest—and that’s investing in some really good sheets. Enter Bamboo Bed Sheets. These quality sheets retail for $120, but […]
The Avantree Powerhouse 4 Port Fast USB Charging Station brings high quality, high power, and still keeps your work space or home looking neat and organized. The best part about this charger is its capacity. It comes packing 4 USB charging sockets and a powerful 4.5A/22.5W output.. Its smartport technology means you don’t have to worry about frying your battery, either—it […]