LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fraudulent *.google.com certificate issued

Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 10:49 UTC (Thu) by nix (subscriber, #2304)
In reply to: Fraudulent *.google.com certificate issued by Comet
Parent article: Fraudulent *.google.com certificate issued

DigiNotar didn't have *one* breach, though. It had *numerous*, over *years*, and they didn't spot a single one of them. One is forced to conclude that DigiNotar's systems shouldn't be on the Internet at all, and their sysadmins need serious retraining before they're allowed to administer systems with any security significance.

(Log in to post comments)

Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 20:35 UTC (Thu) by Comet (subscriber, #11646) [Link]

The only public evidence I've seen for the multiple breaches claim is screenshots showing that a CMS let people create pages with new names and those pages would be served up, accompanied by hyperbole.

Stupid, but the screenshots were also showing plain text, so there's also a slim chance that there wasn't even a cookie-stealing attack made possible by this. Just bragging rights in getting plaintext up under an available name of your choice.

Stupid CMS for some web content is a long way from breach of the signing systems. If your news source is a company which sells security services, then hyperbolic claims on their part in talking up the implications of what they found is to be expected.

I'd hope that technical decisions about trust are based on more than panicked responses by non-technical decision makers to hyperbole they take at face value because they don't understand the issues.

So I'm assuming that there's yet more to this story that hasn't come out yet.

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 19:52 UTC (Tue) by Comet (subscriber, #11646) [Link]

Okay, we now have multiple breaches evidence (but not the "over years" part):

https://blog.torproject.org/blog/diginotar-damage-disclosure

Excuse me while I cry into a drink.

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 20:38 UTC (Tue) by nix (subscriber, #2304) [Link]

Um, those earlier breaches that the Tor post points to were apparently done in *2009*. That would be, well, years ago.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds