Recent Features
| |||||||||||||
Fraudulent *.google.com certificate issuedFraudulent *.google.com certificate issuedPosted Sep 1, 2011 17:42 UTC (Thu) by nix (subscriber, #2304)In reply to: Fraudulent *.google.com certificate issued by dashesy Parent article: Fraudulent *.google.com certificate issued
DigiNotar put the lives of innocent people in danger to make profit, violating the sanctions.Uh, DigiNotar were penetrated by attackers. They didn't simply say 'oh yes, Iranian government, of course we'll give you a certificate for *.google.com': agents probably acting for Iran attacked them and issued a certificate themselves. If they had simply acquiesced to an Iranian government request, they'd be putting innocent people in danger (though no CA should do that sort of thing on behalf of foreign governments, ha ha); if Iran was additionally subject to sanctions by the government of the Netherlands preventing all business relationships, they'd be sanctions-busters as a result. But as far as I know Iran is not subject to such sanctions: there are EU-wide sanctions against Iranian banking and energy sectors, and diplomatic relationships are or were frozen at one point this year, but that doesn't mean that all business relationships between Iran and EU companies are verboten. (Not that there were any in this case anyway.)
(Log in to post comments)
Fraudulent *.google.com certificate issued Posted Sep 1, 2011 18:13 UTC (Thu) by dashesy (subscriber, #74652) [Link]
If I read the articles correctly Google has no business relation with DigiNotar what so ever.
Also according to the public statement here: http://www.vasco.com/company/press_room/news_archive/2011... "On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. " Then it continue: "At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time."
I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.
Fraudulent *.google.com certificate issued Posted Sep 1, 2011 23:49 UTC (Thu) by nix (subscriber, #2304) [Link] I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.I hope you're not in the UK, then, because that sort of unjustified accusation (with, am I right, no evidence whatsoever?) is just the sort of thing that gets you hit with a libel suit. (UK libel laws are notably extreme: just posting comments on websites can be and has been seen as equivalent to mass-scale publication.) DigiNotar were terrifyingly incompetent given their role, but I see no cause to assume any malice on their part. It's not like incompetence and insecurity are unheard of in the computing industry.
Fraudulent *.google.com certificate issued Posted Sep 2, 2011 17:19 UTC (Fri) by dashesy (subscriber, #74652) [Link]
Ok you are right, I do not have any evidence for my claim. I just raised the popular belief among Iranians.
I should confess it is hard to remain neutral and politically correct when my family and friends (and myself) could suffer from this incident. Any politically active person (or his/her family) could now be tortured to confess crimes, because of her/his emails read by government agents.
Fraudulent *.google.com certificate issued Posted Sep 3, 2011 11:54 UTC (Sat) by raven667 (subscriber, #5198) [Link]
It is worth pointing out that the DigiNotar compromise may likely result in a loss of life, that is not an overreaction, highlighting how the amount of trust put into CAs is probably misplaced
Fraudulent *.google.com certificate issued Posted Sep 3, 2011 19:52 UTC (Sat) by endecotp (guest, #36428) [Link]
> It is worth pointing out that the DigiNotar compromise may
> likely result in a loss of life
That would require that the supposed dissident were actually using their e.g. gmail email account to discuss incriminating matters. I consider SSL to be strong enough to protect my credit card numbers, but that's a long way from saying that I would trust my life to it. I would hope that people in that position would think very carefully about what sort of communication they would trust.
Fraudulent *.google.com certificate issued Posted Sep 6, 2011 18:09 UTC (Tue) by dashesy (subscriber, #74652) [Link]
A citizen journalist (well it means an ordinary guy with a cellphone) takes a video showing violent crackdown on street unrest. Later she sends the video to Youtube, which is linked against her Gmail account. It is not exactly discussing incriminating matters. In fact government cannot arrest people for daily jokes they make about Ahmadinejad, because they may have to put everyone behind bars then.
You are right however, one should take extra precautions. No matter what the odds or reason to be arrested for, it only takes a hard enough blow to head to be considered dead. Together with a transparent proxy, a dummy Gmail account does not waist too much bits and bytes.
Fraudulent *.google.com certificate issued Posted Sep 3, 2011 19:48 UTC (Sat) by nix (subscriber, #2304) [Link]
Ah, right. It's a reasonable popular belief: paranoia spreads like weeds under any regime like that in Iran. (Also I suspect there's some sort of paranoia field generated by Pakistan which spreads over the whole area. If you've not been there, the answer to *everything* is a conspiracy. :) )
Fraudulent *.google.com certificate issued Posted Sep 1, 2011 20:56 UTC (Thu) by job (guest, #670) [Link]
If we are to believe the reports, DigiNotar's systems has been repeatedly breached over a course of several years without them taking action. That's bordering on criminal negligence in my opinion.
|
|||||||||||||