An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.
The certificate authority, India's National Informatics Centre, is not trusted by browsers and operating systems from vendors other than Microsoft. Cryptographic certificates in the "root of trust" for your operating system and browsers are implicitly trusted, and rogue certificates can be used to eavesdrop on your communications, trick you into installing malicious software, and otherwise attack the integrity of your system.
The problem of rogue certificate authorities is an important one, and I wrote a paper for Nature with Google's Ben Laurie on "Certificate Transparency," Google's initiative to quickly detect rogue certificates in the wild and identify the bad actors who issue them.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.
We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.
On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.
Maintaining digital certificate security [Adam Langley/Google Online Security]
(via Hacker News)
report this ad
Tea Party-dominated states across America passed laws banning cities from providing high-speed internet access to their residents, even in places where the cable/telco duopoly had decided not to sell broadband; last year, the FCC issued an order stating that these laws were null and void.
The Citizens United ruling says that organizations like the NRA can spend as much as they want to support political candidates, provided that they don’t coordinate with the campaign, which means that it’s just a happy coincidence that the day after Donald Trump called on gun enthusiasts to assassinate Hillary Clinton and federal judges, the […]
Rogue archivist Carl Malamud writes, “I just got back from the big debate on is free law like free beer that has been brewing for months at the American Bar Association over the question of who gets to read public safety codes and on what terms.”
When the mood strikes you and you’re looking to light up, you shouldn’t have to hunt around for all the things you need: your pipe, your grinder, your favorite munchies, and so on. And with the Happy Kit, you won’t have to.This compact black case houses everything you need, including a grinder, a glass pipe, […]
Everybody knows that if you want to earn the big bucks these days, you need to learn how to code. Luckily, you don’t even need to spend thousands on grad school to make coding your career. The Entry-Level Python & JavaScript Programming Bundle is the easiest way to get started in programming in two of […]
Everything short of a ticket to Canada is here. Read on for the top 3 things you need to do to survive if ‘President Trump’ becomes real life.Start Your Own Business—Not Brought to You By Trump University This legitimate course bundle (they’ll even show you their tax returns) will teach you to make major cash without answering to […]
report this ad
