An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.
The certificate authority, India's National Informatics Centre, is not trusted by browsers and operating systems from vendors other than Microsoft. Cryptographic certificates in the "root of trust" for your operating system and browsers are implicitly trusted, and rogue certificates can be used to eavesdrop on your communications, trick you into installing malicious software, and otherwise attack the integrity of your system.
The problem of rogue certificate authorities is an important one, and I wrote a paper for Nature with Google's Ben Laurie on "Certificate Transparency," Google's initiative to quickly detect rogue certificates in the wild and identify the bad actors who issue them.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.
We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.
On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.
Maintaining digital certificate security [Adam Langley/Google Online Security]
(via Hacker News)
For more than four years, we’ve been writing about Prenda Law, a prolific copyright troll (that is, a company that sends dire legal threats and demands for money to people they accuse of copyright infringement, based on the flimsiest of evidence), whose conduct is so breathtakingly illegal that it feels like satire or performance art […]
When Purdue Pharma’s patent on the MS Contin was close to expiry, the Sackler family who owned the company spent millions trying to find a product that could replace the profits they’d lose from generic competition on MS Contin: the result was Oxycontin, a drug that went on to kill Americans at epidemic scale.
The questions posed by David Cay Johnston include some tough-to-avoid queries about Trump’s involvement with the mafia, the regulatory findings against his company for unfair and unsafe employment practices, and times when Trump had admitted to shading the truth or lying outright about his affairs.
Every company wants to harness the power of social media, but few understand how to make that happen. Be one of those select few with this Social Media Marketing Course & Certification package, now just $29 in the Boing Boing Store.Over 12 modules of course material, you’ll learn what it takes to increase a brand’s […]
If you’ve got a killer app idea, but don’t have the technical expertise to pull it off, get a crash course in all things app development with the Comprehensive Android Development Bundle, now over 90% off in the Boing Boing Store. Across 83 hours of training, you’ll learn to develop for the world’s most popular mobile OS, mastering […]
Jared Sinclair developed the RSS reader app Unread, which made $10,000 in its first 24 hours on the iOS market. And we’ve all heard the story of Flappy Bird developer Dong Nguyen, whose creation was reportedly earning $50,000 a day at the height of its 2013 explosion. While those are rare examples, they’re also testament to the […]