|
|
Subscribe / Log in / New account

Fraudulent *.google.com certificate issued

Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 18:13 UTC (Thu) by dashesy (guest, #74652)
In reply to: Fraudulent *.google.com certificate issued by nix
Parent article: Fraudulent *.google.com certificate issued

If I read the articles correctly Google has no business relation with DigiNotar what so ever.
Also according to the public statement here:
http://www.vasco.com/company/press_room/news_archive/2011...
"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. "
Then it continue:
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time."

I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.
You are right, unfortunately some European companies are less eager to deny their profitable business with rouge governments. They even happily supply internet censorship, and satellite interferer technologies to Iranian government. Without considering much about the health implications those high energy devices have specially on children and pregnant women.
The irony is that Iranians cannot update their Google Chrome because of sanctions! Of course it is Internet and there are ways to get around that, specially for technical savvies . But you see how funny it can be :)

to post comments

Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 23:49 UTC (Thu) by nix (subscriber, #2304) [Link] (5 responses)

I cannot believe a security audit did not notice that "Google" is not their customer! I think, the company did not profit well in SSL (Euro 100,000 in the same article), so from the business point of view it would have made sense to get some extra cache from an oil rich government to issue a fake certificate that is unlikely to be used against important people in free nations.
I hope you're not in the UK, then, because that sort of unjustified accusation (with, am I right, no evidence whatsoever?) is just the sort of thing that gets you hit with a libel suit. (UK libel laws are notably extreme: just posting comments on websites can be and has been seen as equivalent to mass-scale publication.)

DigiNotar were terrifyingly incompetent given their role, but I see no cause to assume any malice on their part. It's not like incompetence and insecurity are unheard of in the computing industry.

Fraudulent *.google.com certificate issued

Posted Sep 2, 2011 17:19 UTC (Fri) by dashesy (guest, #74652) [Link] (4 responses)

Ok you are right, I do not have any evidence for my claim. I just raised the popular belief among Iranians.
I should confess it is hard to remain neutral and politically correct when my family and friends (and myself) could suffer from this incident. Any politically active person (or his/her family) could now be tortured to confess crimes, because of her/his emails read by government agents.

Fraudulent *.google.com certificate issued

Posted Sep 3, 2011 11:54 UTC (Sat) by raven667 (subscriber, #5198) [Link] (2 responses)

It is worth pointing out that the DigiNotar compromise may likely result in a loss of life, that is not an overreaction, highlighting how the amount of trust put into CAs is probably misplaced

Fraudulent *.google.com certificate issued

Posted Sep 3, 2011 19:52 UTC (Sat) by endecotp (guest, #36428) [Link] (1 responses)

> It is worth pointing out that the DigiNotar compromise may
> likely result in a loss of life

That would require that the supposed dissident were actually using their e.g. gmail email account to discuss incriminating matters. I consider SSL to be strong enough to protect my credit card numbers, but that's a long way from saying that I would trust my life to it. I would hope that people in that position would think very carefully about what sort of communication they would trust.

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 18:09 UTC (Tue) by dashesy (guest, #74652) [Link]

A citizen journalist (well it means an ordinary guy with a cellphone) takes a video showing violent crackdown on street unrest. Later she sends the video to Youtube, which is linked against her Gmail account. It is not exactly discussing incriminating matters. In fact government cannot arrest people for daily jokes they make about Ahmadinejad, because they may have to put everyone behind bars then.
You are right however, one should take extra precautions. No matter what the odds or reason to be arrested for, it only takes a hard enough blow to head to be considered dead. Together with a transparent proxy, a dummy Gmail account does not waist too much bits and bytes.

Fraudulent *.google.com certificate issued

Posted Sep 3, 2011 19:48 UTC (Sat) by nix (subscriber, #2304) [Link]

Ah, right. It's a reasonable popular belief: paranoia spreads like weeds under any regime like that in Iran. (Also I suspect there's some sort of paranoia field generated by Pakistan which spreads over the whole area. If you've not been there, the answer to *everything* is a conspiracy. :) )


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds