An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.
The certificate authority, India's National Informatics Centre, is not trusted by browsers and operating systems from vendors other than Microsoft. Cryptographic certificates in the "root of trust" for your operating system and browsers are implicitly trusted, and rogue certificates can be used to eavesdrop on your communications, trick you into installing malicious software, and otherwise attack the integrity of your system.
The problem of rogue certificate authorities is an important one, and I wrote a paper for Nature with Google's Ben Laurie on "Certificate Transparency," Google's initiative to quickly detect rogue certificates in the wild and identify the bad actors who issue them.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.
We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.
On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.
Maintaining digital certificate security [Adam Langley/Google Online Security]
(via Hacker News)
The families of prisoners in the U.S. often have to pay rates as high as $12.95 for 15 minutes of phone time to stay in touch with an incarcerated spouse, child, or parent. Global Tel-Link Corp. and Securus Technologies are the two main prison phone service providers, and they make a fortune charging poor people […]
Kim Davis isn’t doing her job again. Michael from Muckrock writes, “This time, she’s falling short on responding to public records requests, particularly one relating to her controversial visit with Pope Francis.”
Another Kevin writes, “Last September, the NYPD pulled Kamilah Brock, a black woman, over on suspicion of DUI marijuana. They found nothing but seized her BMW anyway. When she claimed it, they decided she was delusional, no black woman could be a banker and own a BMW, so they threw her in the psych ward […]
Watching Netflix, Hulu or other streaming services can unfortunately be difficult while traveling outside the US. Rather than bypass these restrictions with the help of a complex and slow VPN, choose a faster and simpler solution with Getflix. Instead of rerouting all your Internet traffic through a different server, this handy service only routes the […]
Shake, stir, and muddle your way to delicious homemade cocktails with this must-have bar set. Expect only the finest quality tools from MakersKit — enabling you to unleash your inner mixologist.Top 12 Favorite Things of 2014, Sunset MagazineQuart-size vintage-style Mason jar shakerRetro double jigger for accurate measurementsStrainer & spouts for a mixologist-style smooth pourHardwood muddler […]
The Lytro Illum dares to be different, boasting even more robust features than its first generation predecessor and a sleek design reminiscent of professional DSLRs. What’s so cool about it? Most cameras capture the position of light rays, producing a statoc 2D image.