DigiNotar SSL certificate compromise
August 30, 2011 3:14 PM Subscribe
posted by Nelson (45 comments total)
21 users marked this as a favorite
Two days ago a user asked Google
about a strange warning he was getting when trying to access Gmail from Iran. Turns out he was getting a fraudulent SSL certificate
that was issued incorrectly for *.google.com
, a Dutch certificate authority. It seems likely this was a deliberate man-in-the-middle attack to snoop email in Iran. This attack is the second SSL certificate compromise
in a year (previously
), pointing to a fundamental design flaw in Internet security.
Every web browser has a list of hundreds of certificate authorities
representing entities around the world. All CAs are equally trusted: if any one CA has a security breach or deliberately issues a bad certificate then every site in the world can be impersonated. DigiNotar was compromised on July 19
. Today, August 30, Google
, and Microsoft
have all removed DigiNotar's authority via a patch, closing this hole in their desktop browsers. Until the next time a CA is compromised.