Fraudulent *.google.com certificate issued
Fraudulent *.google.com certificate issued
Posted Sep 1, 2011 16:40 UTC (Thu) by dashesy (guest, #74652)Parent article: Fraudulent *.google.com certificate issued
This will not stop here unless sanctions become something meaningful targeting governments, not citizens of those countries.
DigiNotar put the lives of innocent people in danger to make profit, violating the sanctions.
Posted Sep 1, 2011 17:42 UTC (Thu)
by nix (subscriber, #2304)
[Link] (8 responses)
But as far as I know Iran is not subject to such sanctions: there are EU-wide sanctions against Iranian banking and energy sectors, and diplomatic relationships are or were frozen at one point this year, but that doesn't mean that all business relationships between Iran and EU companies are verboten. (Not that there were any in this case anyway.)
Posted Sep 1, 2011 18:13 UTC (Thu)
by dashesy (guest, #74652)
[Link] (6 responses)
I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.
Posted Sep 1, 2011 23:49 UTC (Thu)
by nix (subscriber, #2304)
[Link] (5 responses)
DigiNotar were terrifyingly incompetent given their role, but I see no cause to assume any malice on their part. It's not like incompetence and insecurity are unheard of in the computing industry.
Posted Sep 2, 2011 17:19 UTC (Fri)
by dashesy (guest, #74652)
[Link] (4 responses)
Posted Sep 3, 2011 11:54 UTC (Sat)
by raven667 (subscriber, #5198)
[Link] (2 responses)
Posted Sep 3, 2011 19:52 UTC (Sat)
by endecotp (guest, #36428)
[Link] (1 responses)
That would require that the supposed dissident were actually using their e.g. gmail email account to discuss incriminating matters. I consider SSL to be strong enough to protect my credit card numbers, but that's a long way from saying that I would trust my life to it. I would hope that people in that position would think very carefully about what sort of communication they would trust.
Posted Sep 6, 2011 18:09 UTC (Tue)
by dashesy (guest, #74652)
[Link]
Posted Sep 3, 2011 19:48 UTC (Sat)
by nix (subscriber, #2304)
[Link]
Posted Sep 1, 2011 20:56 UTC (Thu)
by job (guest, #670)
[Link]
Fraudulent *.google.com certificate issued
DigiNotar put the lives of innocent people in danger to make profit, violating the sanctions.
Uh, DigiNotar were penetrated by attackers. They didn't simply say 'oh yes, Iranian government, of course we'll give you a certificate for *.google.com': agents probably acting for Iran attacked them and issued a certificate themselves. If they had simply acquiesced to an Iranian government request, they'd be putting innocent people in danger (though no CA should do that sort of thing on behalf of foreign governments, ha ha); if Iran was additionally subject to sanctions by the government of the Netherlands preventing all business relationships, they'd be sanctions-busters as a result.
Fraudulent *.google.com certificate issued
Also according to the public statement here:
http://www.vasco.com/company/press_room/news_archive/2011...
"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. "
Then it continue:
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time."
You are right, unfortunately some European companies are less eager to deny their profitable business with rouge governments. They even happily supply internet censorship, and satellite interferer technologies to Iranian government. Without considering much about the health implications those high energy devices have specially on children and pregnant women.
The irony is that Iranians cannot update their Google Chrome because of sanctions! Of course it is Internet and there are ways to get around that, specially for technical savvies . But you see how funny it can be :)
Fraudulent *.google.com certificate issued
I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.
I hope you're not in the UK, then, because that sort of unjustified accusation (with, am I right, no evidence whatsoever?) is just the sort of thing that gets you hit with a libel suit. (UK libel laws are notably extreme: just posting comments on websites can be and has been seen as equivalent to mass-scale publication.)
Fraudulent *.google.com certificate issued
I should confess it is hard to remain neutral and politically correct when my family and friends (and myself) could suffer from this incident. Any politically active person (or his/her family) could now be tortured to confess crimes, because of her/his emails read by government agents.
Fraudulent *.google.com certificate issued
Fraudulent *.google.com certificate issued
> likely result in a loss of life
Fraudulent *.google.com certificate issued
You are right however, one should take extra precautions. No matter what the odds or reason to be arrested for, it only takes a hard enough blow to head to be considered dead. Together with a transparent proxy, a dummy Gmail account does not waist too much bits and bytes.
Fraudulent *.google.com certificate issued
Fraudulent *.google.com certificate issued