| |||||||||||||
Fraudulent *.google.com certificate issuedFraudulent *.google.com certificate issuedPosted Sep 1, 2011 23:49 UTC (Thu) by nix (subscriber, #2304)In reply to: Fraudulent *.google.com certificate issued by dashesy Parent article: Fraudulent *.google.com certificate issued
I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.I hope you're not in the UK, then, because that sort of unjustified accusation (with, am I right, no evidence whatsoever?) is just the sort of thing that gets you hit with a libel suit. (UK libel laws are notably extreme: just posting comments on websites can be and has been seen as equivalent to mass-scale publication.) DigiNotar were terrifyingly incompetent given their role, but I see no cause to assume any malice on their part. It's not like incompetence and insecurity are unheard of in the computing industry.
(Log in to post comments)
Fraudulent *.google.com certificate issued Posted Sep 2, 2011 17:19 UTC (Fri) by dashesy (subscriber, #74652) [Link]
Ok you are right, I do not have any evidence for my claim. I just raised the popular belief among Iranians.
I should confess it is hard to remain neutral and politically correct when my family and friends (and myself) could suffer from this incident. Any politically active person (or his/her family) could now be tortured to confess crimes, because of her/his emails read by government agents.
Fraudulent *.google.com certificate issued Posted Sep 3, 2011 11:54 UTC (Sat) by raven667 (subscriber, #5198) [Link]
It is worth pointing out that the DigiNotar compromise may likely result in a loss of life, that is not an overreaction, highlighting how the amount of trust put into CAs is probably misplaced
Fraudulent *.google.com certificate issued Posted Sep 3, 2011 19:52 UTC (Sat) by endecotp (guest, #36428) [Link]
> It is worth pointing out that the DigiNotar compromise may
> likely result in a loss of life
That would require that the supposed dissident were actually using their e.g. gmail email account to discuss incriminating matters. I consider SSL to be strong enough to protect my credit card numbers, but that's a long way from saying that I would trust my life to it. I would hope that people in that position would think very carefully about what sort of communication they would trust.
Fraudulent *.google.com certificate issued Posted Sep 6, 2011 18:09 UTC (Tue) by dashesy (subscriber, #74652) [Link]
A citizen journalist (well it means an ordinary guy with a cellphone) takes a video showing violent crackdown on street unrest. Later she sends the video to Youtube, which is linked against her Gmail account. It is not exactly discussing incriminating matters. In fact government cannot arrest people for daily jokes they make about Ahmadinejad, because they may have to put everyone behind bars then.
You are right however, one should take extra precautions. No matter what the odds or reason to be arrested for, it only takes a hard enough blow to head to be considered dead. Together with a transparent proxy, a dummy Gmail account does not waist too much bits and bytes.
Fraudulent *.google.com certificate issued Posted Sep 3, 2011 19:48 UTC (Sat) by nix (subscriber, #2304) [Link]
Ah, right. It's a reasonable popular belief: paranoia spreads like weeds under any regime like that in Iran. (Also I suspect there's some sort of paranoia field generated by Pakistan which spreads over the whole area. If you've not been there, the answer to *everything* is a conspiracy. :) )
|
|||||||||||||