In 2012, Google introduced Certificate Transparency, an internet-wide tripwire system designed to catch cryptographic "certificate authorities" who abused their position to produce counterfeit credentials that would allow criminals, governments and police to spy on and tamper with secure internet connections.
Since then, CT has caught some pretty egregious offenders, most notably Symantec, whose certificates were nearly phased out of the web earlier this year after being caught in repeated cheats and malpractice.
Now Google -- with help from Mozilla -- is giving the internet death penalty to WoSign and its subsidiary StartCom, Chinese Certificate Authorities who have been caught forging multiple certificates, including fake Github credentials.
Update: Symantec's certificates were not purged from the web in the end; after a substantial wrangle in which Symantec made promises to reform its processes and in which browser vendors reduced their trust levels in pre-reform certificates, a reprieve was sought and won for Symantec's internet trust death-penalty.
The move to begin blacklisting the CA authority occurred last year. In August 2016, WoSign was caught issuing fake HTTPS certificates for GitHub domains, which are a severe security risk as attackers could use the certificate to impersonate GitHub domains to compromise user communications.
Google and Mozilla then teamed up to investigate the CA and managed to uncover other instances of unauthorized certificates being issued.
Chrome version 56 was the first to disallow certificates issued by WoSign and StartCom, after "technical limitations and concerns" raised concerns that the CA was not complying with Chrome's Certificate Transparency policy.
Mozilla also announced plans to ban new certificates signed off by WoSign and StartCom through Firefox 51, released in January.
Google guillotine falls on certificate authorities WoSign, StartCom
Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker.
Finnish security researchers Tomi Tuominen and Timo Hirvonen can clone many master hotel keys very quickly using their clever cryptography, an expired keycard from the hotel trash, and a $300 Proxmark RFID card reading and writing device. It takes them about one minute to create a master hotel key. Video demo below. From Wired: The […]
The Vingcard Vision locks are RFID-based hotel locks; at this week's Infiltrate conference in Miami, Tomi Tuominen and Timo Hirvonen from F-Secure will present a method for combining a $300 Proxmark RFID tool with any discarded key from a given hotel to derive the master keys that allow them to unlock every room in the […]
Our computers are home to a myriad of files and documents, many of which contain sensitive information. While storing this data on your computer is convenient, it’s not exactly safe, and with news headlines highlighting data leaks and ransomware attacks on what seems like a daily basis, moving them to a safer location is a […]
Total versatility isn’t something you’d typically find in a telescope. While magnification tech has come a long way, most telescopes are designed to either gaze upon the stars or view the landscapes beneath them. The Omegon Maksutov Telescope MightyMak 60 lets you do both, and thanks to its compact design, you can easily incorporate some sightseeing into […]
The web is an invaluable tool for connecting small businesses with their target audiences. However, when it comes to building a website and marketing online, the learning curve can be steep if you’re doing it on your own. The WordPress Essentials Lifetime Bundle can help you out by getting you up to speed with the platform […]