Hackers acquire Google certificate, could hijack Gmail accounts

Incoming windows patch to kill this certificate I guess.

 

The Microsoft advisory & Statement from Google

 

This is really great.
Dutch root certificate authority 'Diginotar' also issues certificates for most online interaction with Dutch authorities.
The Dutch digital citizen ID 'DIGID' is done by them which is used for communication with f.i. the Dutch IRS or the Department of Education.
Firefox by now has, understandably, revoked all Diginotar certificates, so no more online communication with those Dutch authorities websites anymore unless you agree to the 'can't be verified' message that is.

However, the Dutch 'Department of Home Affairs' has stated, they have full confidence in the company owning 'Diginotar', Vasco Security.
Again, great.
Then you read Mikko Hypponen's blog....and see that 'Diginotar' indeed has been owned.
Not just by Vasco Security but also by Turkish and Iranian hackers...since years. F-Secure blog link.

-edit;
Vasco Security/Diginotar press statement about revoking all fake certificates (but one; '.google.com' cert) after finding out about being hacked; link

 

Thanks guys for the info.

A few more links:

Some Dutch news sites (in Dutch):

http://www.nu.nl/internet/2602430/overheidsites-gedupeerd-aftappen-gmail.html

http://www.nu.nl/internet/2602052/microsoft-en-mozilla-ondernemen-actie-aftappen-gmail.html

http://www.nu.nl/internet/2601887/iraanse-regering-tapte-gmail-af.html

http://webwereld.nl/nieuws/107760/hackers-maakten-meer-diginotar-certificaten-buit.html

http://webwereld.nl/nieuws/107756/diginotar-nl-staat-al-jaren-open-voor-hackers.html

And some other links:

https://www.wilderssecurity.com/showthread.php?t=306540

http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en

 

Thanks for the heads up!

 

FYI Chrome users are immune to this particular attack.

 

Baserk,

I like your posting in reply # 4. It summarizes quite nicely the issues involved in The Netherlands.

Another very long discussion in Dutch at http://tweakers.net/nieuws/76466/hackers-genereerden-zelf-vervalst-google-certificaat.html

 

No one is "immune" to this attack, you're talking about checking for revocation which nearly all modern browsers support, you can still click "allow" if you so choose.

There is nothing unique or special to Chrome that can help in this case no matter how you'd love to spin it.

 

Quite unnerving, being an avid user of those services.

 

http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

Chrome actually is inherently different from other browsers - who knew.

This attack also necessitates that the attacker has control over one of hte following:
Your ISP
Your Computer
Your Router
Your DNS server

or really anything between you and *.google.com

Not too much to worry about - you can do almost exactly what they are doing with sslstripper (much easier to use) and all you'd need to do is be on the same network as someone.

 

Please, read the blogs you link to.

Alerts that can be ignored. The only other way Chrome is different is the HSTS implementation which requires you to manually turn it on and configure.

So no, Chrome by default doesn't have advantages and is certainly not "immune" by any stretch of imagination.
But you are correct that for this attack to work you must divert the traffic.

 

Maybe I took above quote too much out of the context, but:
I would read the posting by Baserk and the F-Secure blog a bit better

 

The ENTIRE point of the certificate is that it makes the site look like google.com

a MITM attack is where you have one person communicating between you and google.com - the hacker. Without the certificate the hacker shows up as invalid.

The ONLY thing that this certificate does is make it so that the hacker shows up as valid.

The entire attack is that it tries to fool the user, the certificate gives them no powers to intercept traffic.

 

Anyway, like I said, if someone has access to your network there are easier ways than hacking a certificate from some foreign company.

sslstripper being one

 

I think there needs to be made a differentiation between what the 'google cert' has been used for in Iran and the ensuing consequences in the Netherlands.

First of all, the worst part is of course for those in Iran who are now perhaps in the hands of horrifying Iranian intel/security forces.
This was the result of the fake cert and government controlled DNS servers and ISP's.

The second, way less harmful but nevertheless very annoying part, is the DigiNotar hack follow-up.
The response from DigiNotar after becoming aware of the Juli 19th hack, was to have it checked by an external security audit party and then to revoke all fraudulently issued certificates.
That is, all of them but the Google one, as was found out weeks later; a fail for (again) DigiNotar and the external audit party.
Apparantly neither DigiNotar nor the external auditing party had been able to accurately verify how many certs have been 'issued'.
Because DigiNotar also has issued certs for Dutch government sites and all major browser companies/organizations now have decided to ban this CA, Dutch folks will now have browser warning issues when visiting these 'nlgov' sites.

Personally I wonder if I'm going to read tomorrow; 'All fraudulently issued certificates have been revoked and the google one of course. And also the...'
But let's not forget who really have been hurt (quite likely literally) by this hack.

 

Hi Baserk,

Your posting in reply # 16 is very good

I was all the time trying to find the right words for the different situation in Iran and The Netherlands without getting into a political discussion. I couldn't. But you found the right words. Thank you

 

I was pretty happy about the Microsoft advisory. I like not having to do anything.

 

Except when you're still on XP.

 

Yet another security enhancement of 7? Who'da thunk it!

 

Reminder: XP is 10 years old, move on already =p

 

When I was 10 Years old I was very young

 

http://googlechromereleases.blogspot.com/

 

How to fix in Firefox:
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

 

Exactly. XP is only 2 years newer than Windows 98 SE.