An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.
The certificate authority, India's National Informatics Centre, is not trusted by browsers and operating systems from vendors other than Microsoft. Cryptographic certificates in the "root of trust" for your operating system and browsers are implicitly trusted, and rogue certificates can be used to eavesdrop on your communications, trick you into installing malicious software, and otherwise attack the integrity of your system.
The problem of rogue certificate authorities is an important one, and I wrote a paper for Nature with Google's Ben Laurie on "Certificate Transparency," Google's initiative to quickly detect rogue certificates in the wild and identify the bad actors who issue them.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.
We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.
On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.
Maintaining digital certificate security [Adam Langley/Google Online Security]
(via Hacker News)
Attorney General Jeff Sessions, having been thrown under the bus by Donald Trump, has clearly run out of fucks to give, and so now he’s not only reviving the feel-good anti-drug program that convinced kids to take drugs, not only directing fed cops to arrest people who take weed in states where it’s legal — […]
Hey, remember how Bill Clinton doubled down on the War on Drugs, perfecting Reagan’s haphazard and shoddily made race-war into a well-oiled incarceration machine that turned America into the world’s greatest incarcerator, a nation that imprisoned black people at a rate that exceeded Apartheid-era South Africa?
The word on the Hill is that Trump will nominate Cheryl Stanton to head the Department of Labor’s Wage and Hour Division, a step up from her current job as head of the South Carolina Department of Employment and Workforce, where her tenure has been marked by high-profile resignations over her plans to trump up […]
The current web development landscape is rife with buzzwords and technology that gets abandoned almost as soon as it’s made. If you’ve never written a line of code before, it can be hard to figure out what’s coming, what’s here to stay, or how to get ahead.This Beginner Web Development Bundle is a great place […]
The Fader Stealth Quadcopter from TRNDlabs packs incredible flight performance into a package small enough to land on your phone screen, and it’s available now in the Boing Boing Store.The Fader’s six-axis gyroscope module gives it perfect balance in the air. This makes the onboard 720p HD camera all the better for shooting amazing flight […]
Although fully autonomous vehicles aren’t yet allowed on public streets, they are poised to dominate the roads in the not-too-distant future. But before that happens, Apple, Google, Uber, and other companies now investing in self-driving tech are going to need talented developers that can account for the dizzying array of factors at play when a […]