SecurityGarden

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, August 30, 2011

Fraudulent *.google.com SSL Certificate

Posted on 3:11 PM by Unknown
A fraudulent SSL certificate was issued for the .google.com domain name from Diginotar, a Dutch Certificate Authority on July 10,2011. The articles referenced below provide background information and a time-line about the events.  

Of concern, is whether your browser is protected from spoofs, phishing attacks, or man-in-the-middle attacks from subdomains of google.com.

Internet Explorer

Microsoft issued Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing, indicating that the precautionary step of removing the DigiNotar root certificate from the Microsoft Certificate Trust List.

All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority.  Should you land on a website or attempt to install a program signed by the DigiNotar root certificate, you will receive an invalid certificate error.

A future update will be released to address this issue for all supported editions of Windows XP and Windows Server 2003.

Mozilla Firefox

The Mozilla Security Blog reported at Fraudulent *.google.com Certificate at Mozilla Security Blog that new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) will be released shortly that will revoke trust in the DigiNotar root.

Rather than waiting for the update, action can be taken now by following the instructions at Deleting the DigiNotar CA certificate.

Other Browsers

As reported in the Google Online Security Blog at An update on attempted man-in-the-middle attacks, steps were taken to disable the DigiNotar certificate authority in Chrome.  This was done while the investigations continues because it is not known if other fraudulent certificates were exist that have yet to be discovered.

Google Chrome is expected to be updated soon.  Chrome 13 and newer have legitimate Google certificates, hard-coded.

No official word has been issued regarding an update for either the Safari or Opera browser.

Background Articles

Computerworld: Hackers stole Google SSL certificate, Dutch firm admits
F-Secure: Diginotar Hacked by Black.Spook and Iranian Hackers
PC World: Google One of Many Victims in SSL Certificate Hack



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Email ThisBlogThis!Share to XShare to Facebook
Posted in Browser, Firefox, Google, Microsoft, Security, Vulnerabilities | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • How to use Hotmail Aliases
    Whether shopping online, joining an on-line tech forum, registering your account for on-line bill payment or some other service, a valid e-m...
  • Critical Out-of-Band Update Released for MS10-046
    Microsoft released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. The security update is identified as crit...
  • Adobe Flash Player Critical Security Updates
    Adobe Flash Player was updated to address critical security vulnerabilities.  These updates address a vulnerability that could cause the ap...
  • Hotmail Security to Protect and Recover Your Account
    Time and time again I see reports from Hotmail users who have lost control of their e-mail account.  As explained by Walter Harp, Director o...
  • Long Awaited Outlook.com Calendar Refresh Rollout
    The long-awaited Outlook.com calendar refresh has been released and is in the process of being rolled out. Because the servers are grouped i...
  • Microsoft Security Advisory 2269637 Released
    Microsoft released Security Advisory 2269637 which relates to a remote attack vector to a class of vulnerabilities affecting applications t...
  • Mozilla Firefox 3.6.13 Security and Stability Update
    Mozilla Firefox 3.6.13 has been released to fix stability issues and address the following security vulnerabilities: MFSA 2010-84 XSS h...
  • Adobe Reader Security Updates
    Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.03) and earlier versions for Windows and Macintosh. Adobe identif...
  • Advance Notice: Security Updates for Java SE
    The Sun Security Blog published the following update announcement: "On November 3, 2009, Sun will release the following security update...
  • Adobe Flash Player and Adobe Air Security Updates
    Adobe released updates to both Adobe Flash Player and Adobe AIR to correct a critical vulnerability in both products. From the Adobe Securi...

Categories

  • Adobe
  • Advisory
  • Amero
  • AntiVirus
  • Apple
  • Ask
  • AVG
  • Bing
  • Browser
  • Child Safety
  • email
  • ESET
  • Ethics
  • Facebook
  • Firefox
  • Firewall
  • FixIt
  • Fraud
  • General
  • Google
  • Hotmail
  • IE10
  • IE6
  • IE7
  • IE8
  • IE9
  • Java
  • Lavasoft
  • malware
  • Microsoft
  • Microsoft Apps
  • Mozilla
  • MVP
  • NCSAM
  • Office
  • Office 2007
  • Office 2010
  • Opera
  • Outlook.com
  • Phishing
  • Privacy
  • safety
  • Search
  • Security
  • Service Pack
  • SkyDrive
  • Skype
  • Software
  • SP1
  • sp2
  • SP3
  • Spotlight
  • Sumatra
  • tutorial
  • UAC
  • Updates
  • Vulnerabilities
  • Windows
  • Windows 7
  • Windows 8
  • Windows Live
  • Windows Live OneCare
  • Windows Vista
  • Windows XP
  • WinPatrol

Blog Archive

  • ►  2013 (93)
    • ►  October (2)
    • ►  September (8)
    • ►  August (9)
    • ►  July (5)
    • ►  June (8)
    • ►  May (7)
    • ►  April (15)
    • ►  March (9)
    • ►  February (16)
    • ►  January (14)
  • ►  2012 (98)
    • ►  December (7)
    • ►  November (6)
    • ►  October (11)
    • ►  September (5)
    • ►  August (10)
    • ►  July (8)
    • ►  June (12)
    • ►  May (7)
    • ►  April (12)
    • ►  March (6)
    • ►  February (6)
    • ►  January (8)
  • ▼  2011 (130)
    • ►  December (8)
    • ►  November (10)
    • ►  October (7)
    • ►  September (12)
    • ▼  August (9)
      • Mozilla Firefox 6.0.1 Update Released
      • Fraudulent *.google.com SSL Certificate
      • WinPatrol PLUS available for $9.99
      • Mozilla Firefox 6 Released, Includes Critical Secu...
      • Adobe Flash Player Critical Update
      • Microsoft Update Impacts WinPatrol Cookie Monitoring
      • Microsoft August 2011 Security Bulletin Release
      • Security Bulletin Advance Notification for August,...
      • Solve Microsoft Standalone System Sweeper Errors
    • ►  July (6)
    • ►  June (13)
    • ►  May (14)
    • ►  April (13)
    • ►  March (15)
    • ►  February (10)
    • ►  January (13)
  • ►  2010 (146)
    • ►  December (10)
    • ►  November (15)
    • ►  October (19)
    • ►  September (15)
    • ►  August (14)
    • ►  July (8)
    • ►  June (19)
    • ►  May (5)
    • ►  April (11)
    • ►  March (6)
    • ►  February (14)
    • ►  January (10)
  • ►  2009 (33)
    • ►  December (11)
    • ►  November (11)
    • ►  October (11)
Powered by Blogger.

About Me

Unknown
View my complete profile