Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phony Web Certs Issued For Google, Yahoo, Skype

Posted by samzenpus on from the bad-apples dept.

Gunkerty Jeb writes "A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc."

5 of 151 comments (clear)

  1. Well by The+MAZZTer · · Score: 1, Insightful

    Time for major browsers to add that issuer to the blacklist, I guess. Or the individual certs, but that's less fun.

  2. CRLs? by hawguy · · Score: 4, Insightful

    The article says that browser makers rushed to put out patches to blacklist the fraudulent certs. Isn't this what certificate revocation lists are for? Are CRLs completely broken and unused?

  3. Re:Better Internet for Everybody by Anonymous Coward · · Score: 2, Insightful

    Wow, broken clocks are right twice a day it seems.

  4. And the CAs do ... what again? by DriedClexler · · Score: 4, Insightful

    If I'm paying the CA to certify that public key X really is mine, and yet someone who's not me can get the same certification from the CA for being me ... what was I paying for again?

    RSA =/= rubber stamp authority

    --
    Information theory is life. The rest is just the KL divergence.
    1. Re:And the CAs do ... what again? by dgatwood · · Score: 3, Insightful

      Are you saying that SSH is not useful? Read my post again.

      should be treated as a production cert, but with permanent memorization.

      Emphasis mine. Yes, it is vulnerable to a man-in-the-middle attack. Exactly once. After you've made one connection, you're safe to connect to that particular host forever and ever... unless and until somebody legitimately has to change keys and certs without signing the new one with the same CA cert. At that point, you're unsafe one more time (and, hopefully, suspicious about the competence of the site's admins by this point).

      And if you connect to the site, then take your computer to a different network and make the connection again and don't get screamed at (because the host key has changed), you can pretty much feel confident that you aren't getting hit by a man-in-the middle attack unless your computer is thoroughly 0wn3d, in which case it really doesn't matter if the traffic is encrypted because your keystrokes are probably being sniffed anyway. :-)

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.