Hackers acquire Google certificate, could hijack Gmail accounts

Discussion in 'other security issues & news' started by ronjor, Aug 29, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    https://www.infoworld.com/d/securit...ertificate-could-hijack-gmail-accounts-171116
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Incoming windows patch to kill this certificate I guess.
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Aug 31, 2011
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    This is really great.
    Dutch root certificate authority 'Diginotar' also issues certificates for most online interaction with Dutch authorities.
    The Dutch digital citizen ID 'DIGID' is done by them which is used for communication with f.i. the Dutch IRS or the Department of Education.
    Firefox by now has, understandably, revoked all Diginotar certificates, so no more online communication with those Dutch authorities websites anymore unless you agree to the 'can't be verified' message that is.

    However, the Dutch 'Department of Home Affairs' has stated, they have full confidence in the company owning 'Diginotar', Vasco Security.
    Again, great.
    Then you read Mikko Hypponen's blog....and see that 'Diginotar' indeed has been owned.
    Not just by Vasco Security but also by Turkish and Iranian hackers...since years. :eek: F-Secure blog link.

    -edit;
    Vasco Security/Diginotar press statement about revoking all fake certificates (but one; '.google.com' cert) after finding out about being hacked; link
     
    Last edited: Aug 30, 2011
  5. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Thanks for the heads up!
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    FYI Chrome users are immune to this particular attack.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    No one is "immune" to this attack, you're talking about checking for revocation which nearly all modern browsers support, you can still click "allow" if you so choose.

    There is nothing unique or special to Chrome that can help in this case no matter how you'd love to spin it.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Quite unnerving, being an avid user of those services.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
    Chrome actually is inherently different from other browsers - who knew.

    This attack also necessitates that the attacker has control over one of hte following:
    Your ISP
    Your Computer
    Your Router
    Your DNS server

    or really anything between you and *.google.com

    Not too much to worry about - you can do almost exactly what they are doing with sslstripper (much easier to use) and all you'd need to do is be on the same network as someone.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Please, read the blogs you link to.

    Alerts that can be ignored. The only other way Chrome is different is the HSTS implementation which requires you to manually turn it on and configure.

    So no, Chrome by default doesn't have advantages and is certainly not "immune" by any stretch of imagination.
    But you are correct that for this attack to work you must divert the traffic.
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Maybe I took above quote too much out of the context, but:
    I would read the posting by Baserk and the F-Secure blog a bit better ;)
     
    Last edited: Aug 30, 2011
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The ENTIRE point of the certificate is that it makes the site look like google.com

    a MITM attack is where you have one person communicating between you and google.com - the hacker. Without the certificate the hacker shows up as invalid.

    The ONLY thing that this certificate does is make it so that the hacker shows up as valid.

    The entire attack is that it tries to fool the user, the certificate gives them no powers to intercept traffic.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Anyway, like I said, if someone has access to your network there are easier ways than hacking a certificate from some foreign company.

    sslstripper being one
     
    Last edited: Aug 30, 2011
  16. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    I think there needs to be made a differentiation between what the 'google cert' has been used for in Iran and the ensuing consequences in the Netherlands.

    First of all, the worst part is of course for those in Iran who are now perhaps in the hands of horrifying Iranian intel/security forces.
    This was the result of the fake cert and government controlled DNS servers and ISP's.

    The second, way less harmful but nevertheless very annoying part, is the DigiNotar hack follow-up.
    The response from DigiNotar after becoming aware of the Juli 19th hack, was to have it checked by an external security audit party and then to revoke all fraudulently issued certificates.
    That is, all of them but the Google one, as was found out weeks later; a fail for (again) DigiNotar and the external audit party.
    Apparantly neither DigiNotar nor the external auditing party had been able to accurately verify how many certs have been 'issued'.
    Because DigiNotar also has issued certs for Dutch government sites and all major browser companies/organizations now have decided to ban this CA, Dutch folks will now have browser warning issues when visiting these 'nlgov' sites.

    Personally I wonder if I'm going to read tomorrow; 'All fraudulently issued certificates have been revoked and the google one of course. And also the...'
    But let's not forget who really have been hurt (quite likely literally) by this hack.
     
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Baserk,

    Your posting in reply # 16 is very good :thumb:

    I was all the time trying to find the right words for the different situation in Iran and The Netherlands without getting into a political discussion. I couldn't. But you found the right words. Thank you :thumb:
     
  18. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I was pretty happy about the Microsoft advisory. I like not having to do anything.

     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Except when you're still on XP.
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yet another security enhancement of 7? Who'da thunk it!
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Reminder: XP is 10 years old, move on already =p
     
  22. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    When I was 10 Years old I was very young :-*
     
  23. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
  24. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Exactly. XP is only 2 years newer than Windows 98 SE. :D
     
Loading...
Thread Status:
Not open for further replies.