Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security The Internet News

Phony Web Certs Issued For Google, Yahoo, Skype 151

Posted by samzenpus from the bad-apples dept.
Gunkerty Jeb writes "A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc."
This discussion has been archived. No new comments can be posted.

Phony Web Certs Issued For Google, Yahoo, Skype More

Phony Web Certs Issued For Google, Yahoo, Skype

Comments Filter:

  • Well (Score:2, Insightful)

    by The MAZZTer ( 911996 ) <.moc.liamg. .ta. .tzzagem.> on Wednesday March 23, 2011 @04:26PM (#35591506) Homepage
    Time for major browsers to add that issuer to the blacklist, I guess. Or the individual certs, but that's less fun.

  • CRLs? (Score:5, Insightful)

    by hawguy ( 1600213 ) on Wednesday March 23, 2011 @04:31PM (#35591576)

    The article says that browser makers rushed to put out patches to blacklist the fraudulent certs. Isn't this what certificate revocation lists [wikipedia.org] are for? Are CRLs completely broken and unused?

  • Re:Better Internet for Everybody (Score:2, Insightful)

    by Anonymous Coward on Wednesday March 23, 2011 @05:08PM (#35592028)

    Wow, broken clocks are right twice a day it seems.

  • And the CAs do ... what again? (Score:5, Insightful)

    by DriedClexler ( 814907 ) on Wednesday March 23, 2011 @05:18PM (#35592134)

    If I'm paying the CA to certify that public key X really is mine, and yet someone who's not me can get the same certification from the CA for being me ... what was I paying for again?

    RSA =/= rubber stamp authority

  • Re:And the CAs do ... what again? (Score:4, Insightful)

    by dgatwood ( 11270 ) on Thursday March 24, 2011 @12:00AM (#35595166) Homepage Journal

    Are you saying that SSH is not useful? Read my post again.

    should be treated as a production cert, but with permanent memorization.

    Emphasis mine. Yes, it is vulnerable to a man-in-the-middle attack. Exactly once. After you've made one connection, you're safe to connect to that particular host forever and ever... unless and until somebody legitimately has to change keys and certs without signing the new one with the same CA cert. At that point, you're unsafe one more time (and, hopefully, suspicious about the competence of the site's admins by this point).

    And if you connect to the site, then take your computer to a different network and make the connection again and don't get screamed at (because the host key has changed), you can pretty much feel confident that you aren't getting hit by a man-in-the middle attack unless your computer is thoroughly 0wn3d, in which case it really doesn't matter if the traffic is encrypted because your keystrokes are probably being sniffed anyway. :-)

Slashdot Top Deals

"God is a comedian playing to an audience too afraid to laugh." - Voltaire

Close