The Mozilla Security Blog carries an
that DigiNotar has revoked a fake digital certificate it
issued for Google's domain. "Users on a compromised network could be
directed to sites using a fraudulent certificate and mistake them for the
legitimate sites. This could deceive them into revealing personal
information such as usernames and passwords. It may also deceive users into
downloading malware if they believe it's coming from a trusted site. We
have received reports of these certificates being used in the wild.
Updates to Firefox, Thunderbird, and SeaMonkey are being released in response.
Update: see this
EFF release for a lot more information; it does not look good.
"Certificate authorities have been caught issuing fraudulent
certificates in at least half a dozen high-profile cases in the past two
years and EFF has voiced concerns that the problem may be even more
widespread. But this is the first time that a fake certificate is known to
have been successfully used in the wild. Even worse, the certificate in
this attack was issued on July 10th 2011, almost two months ago, and may
well have been used to spy on an unknown number of Internet users in Iran
from the moment of its issuance until it was revoked earlier today."
to post comments)