Falsely Issued Google SSL Certificate in the wild for more than 5 weeks
Google is following Mozilla's lead by marking DigiNotar untrustedin the next release of the Chrome OS (Chromium).Reports surfaced this morning that accuse the government of Iran with trying to perform a man-in-the-middle attack against Google's SSL services.
A user named alibo on the Gmail forums posted a thread about receiving a certificate warning about a revoked SSL certificate for SSL-based Google services.
The certificate in question was issued on July 10th by Dutch SSL certificate authority DigiNotar. DigiNotar revoked the certificate today at 16:59:03 GMT, but many browsers do not check for revoked certificates by default.
The certificate was valid for *.google.com and raises serious questions about who the certificate was issued to, and how it was signed. Was DigiNotar compromised? Were the perpetrators able to acquire the CA's certificate and sign their own bogus certificate? Or was DigiNotar tricked into signing the certificate for someone pretending to be Google?
The answer to that question is nearly irrelevant as it is simply more evidence that the current CA infrastructure that we have decided to "trust" is totally untrustworthy. It doesn't matter how this happened, it has happened before and unfortunately will happen again.
I recently wrote about Moxie Marlinspike's new project Convergence, which proposes to eliminate the use of certificate authorities and replace the idea with a system of notaries and proxies. I am a big fan of Moxie's project and if you are a Firefox user you may wish to give it a try.
The evidence that Iran was using this certificate to spy on its citizens is circumstantial at best. We don't know whether this was government initiated or just another random individual like the last Comodo certificate hack.
Either way, placing trust in more than 600 certificate authorities to be honest and not screw up is quite a leap of faith. Be sure to enable certificate revocation checks in your browsers and take a close look at alternatives like Convergence.
Reference : Naked Security News
Computer Forensic, Internet Investigation and IT Consultant